Cookie consent

This site uses cookies that need consent. Learn more

Skip to content
Facit Data Systems
Insights

Busting Common Myths About Responding to Subject Access Requests

Subject Access Request Misconceptions and GDPR Facts.
In this article, we tackle SARs misconceptions at a time when Facit and its partners still encounter myths about, and resistance to SAR fulfilment, especially when it requires redaction (data masking), even though GDPR has been around for 7 years and the laws around access rights are clear.
Posted in: Articles, Video Redaction, Compliance

Busting Myths About Responding to Subject Access Requests (SARs)

In the world of data protection, Subject Access Requests (SARs, sometimes called DSARs) are a fundamental right that allow individuals to access personal data held by organisations. However, myths about handling subject access requests persist, especially among system integrators and their customers. Let’s tackle some of these myths and clarify the obligations under the General Data Protection Regulation (GDPR).

The topic of SARs misconceptions is relevant because Facit and its partners still encounter myths about, and resistance to subject access request fulfilment, especially when it requires redaction (data masking). Myths persist even though GDPR has been around for 7 years and the laws around access rights are clear.

Subject Access Requests Myths and GDPR Facts.

Myth 1: SARs Only Apply to Requests from Police or Solicitors

A common myth is that organisations only have to provide personal data, such as video footage, to the police or lawyers.

In reality, under GDPR, any individual has the right to request access to their personal data, regardless of who they are. This means organisations must respond to SARs from any individual asking for information about themselves, or their authorised representative

Myth 2: SARs Can Be Ignored or Dismissed Without Consequence

Some think ignoring SARs has no big consequences. But failing to comply with a SAR can lead to enforcement actions by the Information Commissioner’s Office (ICO), including fines.

For example, the ICO can issue fines for non-compliance with data protection laws. The ICO will issue and monitor enforcement notices even if no fine is issued, which in themselves cause business disruption, incur costs and often reputational damage.

Check the ICO’s guidance on law enforcement SAR processing and descriptions of potential penalties

Myth 3: All SARs Can Be Refused If They Are Inconvenient

While organisations can refuse to comply with a SAR if it’s “manifestly unfounded” or “manifestly excessive”, these terms have specific meanings.

A request may be considered manifestly unfounded if the individual has no intention to exercise their right of access and is instead using the request to harass the organisation.

A request may be deemed manifestly excessive if it’s repetitive with no reasonable gap between requests.

But the threshold for these exemptions is high and organisations must assess each request before deciding not to comply.

Myth 4: SARs Can Be Refused Because You Can’t Redact Third-Party Data

This is not true. An organisation can’t refuse a SAR just because they don’t have the ability to redact (mask or hide) information. Under GDPR, organisations must take reasonable steps to provide access to personal data while protecting the privacy of others. Here are some key points about the requirement for redaction:

1. Redaction is an Obligation, Not a Choice

If a SAR includes personal data that also relates to other individuals, the organisation must redact the third-party information unless:

  • The third party has given consent to its disclosure, or

  • It’s reasonable to disclose the information without consent.

2. Lack of Redaction Tools is Not a Justifiable Reason

The ICO expects organisations to have the means to redact or anonymise data before providing access. If an organisation doesn’t have the technology or resources, it’s their problem to find a solution - not a reason to refuse.

Failure to provide redacted video footage can lLead to ICO enforcement. The ICO has made it clear that organisations can’t evade SAR obligations because of internal limitations.

If an individual escalates their request to the ICO, the organisation could face enforcement action, including warnings, reprimands or fines.

3. Alternative Approaches if Redaction is Difficult

  • Use third-party services
    If an organisation doesn’t have in-house redaction tools, they can outsource the task.

  • Provide still images instead of full video
    If redacting moving footage is too complex, supplying key stills with necessary information may be an option.

  • Work with the data requestor
    Organisations can engage with the individual to clarify their needs and find a practical solution.

  • Explore in-house redaction tools
    Today’s in-house video redaction tools, such as Facit’s Identity Cloak, are fast, reliable and cost-effective.

Final Word on SAR Redaction

Inability to redact is not a lawful reason to refuse a SAR. Organisations must invest in the right tools and processes to comply with data protection law.

The Consequences of Non-Compliance

Ignoring or mishandling SARs can have serious consequences. The ICO will issue enforcement notices requiring organisations to take specific actions to comply with the law.

Failure to comply with an enforcement notice is a criminal offence and can result in fines or other penalties.

Proactive Compliance Measures for Organisations

To manage SARs successfully and stay compliant:

  • Policies
    Create and document SAR procedures to ensure prompt and accurate responses.

  • Staff Training
    Educate employees on data protection responsibilities and how to respond to SARs.

  • Resource Allocation
    Ensure sufficient resources are available to manage SARs, especially during peak times.

  • ICO Guidance
    If in doubt, contact the ICO for advice on complex SARs or data protection issues.

By busting these myths and taking proactive measures, organisations can protect individual rights and build trust in their data handling practices.

Master SAR Compliance - Protect Your Business, Build Trust

Do you struggle with subject access requests? Many organisations misunderstand their obligations and are at risk.

Navigate the SAR minefield with confidence and compliance and make regulatory requirements work in your favour.

Facit’s compliance redaction tools let you turn regulatory challenges into opportunities to show your data protection credentials.

Bring video redaction and document redaction in-house where it is secure within your own IT environment.

Reduce disputes and ICO complaints with efficient SAR processing from the start.

What Compliance Experts Say About Well-Managed SARs

“Organisations that handle DSARs correctly demonstrate their commitment to data subjects’ rights and build lasting trust with customers and employees.” (ICO)

“Clear DSAR protocols are essential for modern data governance. Organisations that excel in this area typically see fewer complaints and smoother regulatory interactions.” (UK Data Protection Association)

Don’t let myths about SARs put your business at risk. Get it right; get in touch now.

What to do if your Subject Access Request is Refused 

Related Insights

hotel guest privacy protection and cctv access.
Articles

Why Hotel Guest Privacy Protection Must Include Fair Access to CCTV Footage: Your Guide

Read Article
People shopping with some faces redacted.
Articles

Video and audio data requests, technology advances and widespread use of evidential video necessitate a Procedural update

Read Article
Redaction use cases.
Articles

Video Redaction Software: Unexpected Use Cases You Need to Know

Read Article