Know your SARs from your elbow
Here’s a quick, unscientific experiment you can conduct this week. Call up your contact centre and say you’re a customer and you’d like to lodge a Subject Access Request. Does the agent understand what you mean? Does it sound like they know what the internal processes are to provide a Subject Access Request (they may quite legitimately ask you to send the Subject Access Request (SAR) in writing)? At the same time, enquire as to how your organisation does – or would – actually comply with a SAR.
If it’s slick and comprehensive process, that’s great. If it’s manual, slow or doesn’t encompass all your data sources, then add this to your list of GDPR priorities.
SARs aren’t new, they’ve been around for years but under the GDPR and new Data Protection Act they will typically need to be responded to more quickly (within a month) and, crucially, can’t be subject to the payment of nominal fee (usually £10).
As new Data Protection Bill moves closer to getting the Royal Assent and becoming law, more and more people will be reminded of their SAR rights – with now no financial barriers to enacting them.
Just imagine if an aggrieved individual realises that fulfilling SARs is an operational challenge for you and creates a social media storm resulting in, say, 500 requests arriving all at once. Like most of these issues, if changes need to be made they are likely to be technical and operational – but also about how you communicate with prospects and train your frontline colleagues.