We recently conducted a ‘mystery shop’ exercise in collaboration with a client to see how well organisations in their sector were complying with Subject Access Requests under the Data Protection Acts. A whitepaper on our findings and their implications is currently being prepared, but I thought I’d share some thoughts in advance of that publication.

Subject Access Requests are a window into the data-soul of your organisation.

The majority of an organisation’s data interactions with their customers (or for that matter their staff) is in the Obtaining and Applying phases of the Information Asset Life Cycle. We take people’s data, process it, and spit out an outcome for them. The sausage machine turns and the cycle repeats as needed.

But a Subject Access Request is different.

In this context an organisation has to

  • Figure out what data they have about an individual
  • Figure why they have it, where they got it from, and why they are holding on to it
  • Verify the identity of the requester
  • Respond within 40 days
  • Levy the correct fee (if one is being levied at all)
  • Understand what restrictions or exemptions might apply to the response to the Subject Access Request
  • Ensure their data governance structures are in place to ensure that responses are dealt with effectively and efficiently.

I won’t spoil the surprise of the mystery shop data, but the results were shocking. Of the sample set of organisations targetted, one still has not responded to the initial request, a multiple of days over the 40 day period.

Subject Access Requests are a great opportunity to look into your organisation’s “data soul”. They are also a great opportunity to have a dialogue with customers, staff, or other stakeholders.

It’s a pity so many organisations miss these opportunities!