In May next year, the UK’s Data Protection Act will be superseded by the GDPR. The GDPR is designed to give citizens more control of the information organisations hold on them and how that information is used.
There will be tougher penalties for organisations that don’t keep accurate records or who don’t have a valid reason for holding the information.
The UK’s Information Commissioner’s Office (ICO) can currently fine up to £500,000 for malpractice, but under the GDPR will be able to fine up to €20 million or 4% of annual turnover (whichever is higher). Individuals can also sue a business for compensation to recover both material damage and non-material damage, like distress.
What is a SAR?
SAR = Subject Access Request
A SAR is a request that individuals can make to organisations to be provided with a copy of any information held on them.
When the GDPR goes live in May 2018, a key change is that SARs will have to be completed within 30 days and organisations will no longer be able to charge for them. At the moment, individuals can ask for the information but an organisation can take up to 40 days to supply it and they can charge a £10 fee.
We’re often asked by businesses to predict how many SARs people will make after the General Data Protection Regulation (GDPR) comes into force. There is currently limited data on this and so decided to ask the public, just over 1000 people, what they knew about the forthcoming privacy changes and if they intended to raise a SAR to find out about what information companies held on them.
We found that 57% of people said they would want to request their data. We also found that they were most likely to ask the finance and banking sector, mobile network providers and social media platforms; some will also ask their current or past employers.
Completed SARs can use a staggering amount of paper. When an Exonar employee submitted a SAR to their bank – with whom they have been a customer for over 10 years – they received around 800 pieces of paper delivered in two large boxes by a courier.
Companies can provide the data they hold on you in digital form and 92% of consumers told us that is how they would prefer to receive their information. However many organisations aren’t geared up to support this and the financial impact to these businesses, combined with the cost to the environment to produce the paper and ship it securely is staggering.
In order to offset the environmental impact of producing paper-based Subject Access Requests (SARs) and to encourage organisations to consider moving towards a digital process, Exonar is asking that for every SAR that is produced in paper, organisations either plant a tree or make a donation to the Woodland Trust.