collage of people holding their heads in pain of headache

Charities have always been in the spotlight for how they use people’s personal information. The Data Protection Act 2018 (DPA 2018) brought the provisions of the General Data Protection Regulation 2018 (GDPR) into force in the UK, and one area that has changed under the GDPR are the provisions around an individual’s right to request the information a charity holds about them. This right is called a data subject access request.

What is a data subject access request?

A data subject access request is a request from any person to be told what information an organisation holds about them and why it is holding this information. This request can be verbal or written and does not have to be in any particular form as long as it’s clear that the person is requesting their own personal data.

Common pitfalls

Any person that the charity has personal data about can make a request. As well as the obvious categories of people such as donors, members and customers who can make a data subject access request, this includes employees, volunteers and trustees, so each organisation will need to know how and why it holds information about each of these categories.

Having to respond to a data subject access request can really highlight any deficiencies in internal policies and procedures. It’s a good idea to be proactive about your data protection compliance in this area and to make sure there are well-oiled processes for responding in place before any request is received.

Charities should be particularly aware of the potential for “lost” requests which have come into email accounts that are not regularly monitored, as this can result in less time to respond or worse missing the deadline entirely raising the possibility of investigation and fines by the data protection regulator, the Information Commissioner’s Office.

The DPA 2018 sets out how organisations have to respond to this request and below we have detailed the major changes under the DPA 2018.

What’s new?

  1. No fee. Organisations can no longer charge a fee for complying with the request. The scrapping of the fee has meant we have seen an increase in the number of SARs being made to charities.
  2. One month deadline. There is a shorter time limit for responding to the request. Instead of 40 days to respond, it’s now one calendar month so beware of the different month lengths, particularly if you get a DSAR in February.
  3. Detailed response needed. As well as providing the actual personal data, organisations now have to include certain other information in their response, including the legal basis under the DPA 2018 relied on by the charity for holding and using each different type of personal data, even if the person’s request doesn’t ask for this information.

Tips for the future

  1. Have good GDPR compliance. Make sure your organisation is as GDPR compliant as possible in the first place. This includes having good privacy policies and ensuring data is used “on the ground” in the way those internal policies say they will be.
  2. Establish a Data Subject Access response process. It’s crucial to have a process for how to police SAR requests coming in and decide who will do what: who is responsible for collecting the data and who will ensure the deadline is met.
  3. Train your staff. It’s possible that a data subject access request could be sent to any charity employee so train your staff to recognise these requests and make sure they know who within the organisation the requests should be passed to for response.