On receiving a Subject Access Request, you have one month to respond.
From the moment the request is received into your organisation the clock is ticking.
Are your staff trained to recognise a request?
A request doesn’t need to be in writing. Anyone in your organisation may receive a request verbally. As businesses use social media for marketing purposes, all those who monitor the channels need to be aware that a request can come in that way.
As GDPR doesn’t specify how a request can be made, you need to be aware of all the possible channels.
An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
Should you not respond to a request, a complaint may be made to the ICO.
An enforcement notice could follow and failing to respond to that could end up in court!
With GDPR, the monetary penalties were extended and there is a risk of a fine of up to 4% of your annual turnover. The fines are per request, so don’t get caught out ignoring several requests!
The consequences of a court case could be devasting for a business, so make sure you are tooled up and ready!