You have a legal right to know if an organisation uses or stores your personally identifiable information (PII). PII describes any data that can be used to identify an individual, either on its own or along with other information. To find out if an organisation is processing your personal data (and how and why it is doing so), you should make a data subject access request (SAR).
Find out how to make a SAR on the Information Commissioner’s Office (ICO) website.
However, while the right to make a SAR is enshrined under data protection legislation, too many businesses are either ignoring SARs or trying to fob people off with lengthy delays. So what can you do if an organisation is failing to respond to your SAR?
First and foremost, it is vital to know your rights.
What to do if you are being charged to make a subject access request
You should not be charged to make a SAR. However, an organisation can charge “reasonable” fees for “manifestly unfounded or excessive” requests.
If you are being told you need to pay for your data, ask why the charge is being made. You should also reference that you have the right to make a SAR for free under the Data Protection Act 2018. If you believe the fees to be unfair, you should complain to the organisation in question, and if the matter is not resolved, report your concerns to the ICO.
How long do you have to wait for your data?
Organisations should respond to any SARs within one calendar month. If they need extra time to fulfil your request, they may take a further two months to do this. However, the organisation must let you know within one month if it needs more time and explain why.
It might take longer for an organisation to provide you with every piece of data they hold on you. So if you need information on a particular piece of data and you want it ASAP, it makes sense to be specific when making your SAR.
What to do if you can't find the correct contact information
Organisations must provide contact details for making a SAR. This is usually found on the organisation’s website (check the privacy policy usually found in the footer). If you cannot find these details, let the company know. If they do not make it available, you can complain to the ICO.
What to do if you are sent the wrong information
Firstly you should write to the organisation explaining what information you think is missing. You should be as specific as possible. If you are still not happy with the organisation’s response, and it is not providing all the data and/or answers you asked for, you can complain to the ICO.
What to do if an organisation refuses your subject access request
You can make as many SARs as you want, but organisations can refuse your requests if they believe them to be “manifestly unfounded or excessive”. Depending on the circumstances, an organisation might also deny a SAR if the data requested includes information about another individual.
However, an organisation cannot just ignore a SAR. If it is being refused, they must contact you and explain why. And, if you believe that a request has been unfairly rejected, you should raise a complaint with the organisation in question, and if you remain dissatisfied, the ICO.
What to do if an organisation ignores your subject access request
If you have made a SAR but have not heard anything back after a month, write to the organisation to remind them that under the GDPR, they must either fulfil your request or let you know why they cannot.
According to the ICO, “a calendar month starts on the day after the organisation receives the request, even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month.”
If you still do not hear back, you should complain using the organisation’s complaints process. And, if you are not happy with their response, you contact the ICO.
What to do if your information is incorrect
If something in your personal data is wrong, you can ask to have it corrected. Again, organisations must respond to your request within one month. However, an organisation may charge you a fee or deny your request if they think it is “unfounded or excessive”.
If an organisation refuses to correct your data, you can complain to the ICO. However, there is a difference between information that is incorrect and information that you disagree with. So, organisations do not have to change your data in all circumstances.
Know your GDPR rights
When it comes to GDPR abuses, it is not just about data breaches. Today, too many companies are failing to uphold individual data rights in other ways.
The good news is that the ICO is intent on pursuing organisations that are not taking their data protection obligations seriously. In fact, it has taken a company to court for failing to respond to an ICO enforcement notice which ordered the business to provide the information requested via a SAR. Commenting on this case, a spokesperson for the ICO said:
“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.
Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”
At Keller Postman UK, we are committed to upholding the data protection rights of our clients. As well as pursuing data breaches, we make sure our clients are compensated for any GDPR violations that impact their legal rights. Our expert data rights lawyers help clients make a wide range of successful GDPR claims.