• About us
  • Pricing
  • Services
    • Consultancy
    • Training
  • Partners
  • Resources
  • Contact
  • Login
  • Try for FREE
One IFAs journey to GDPR compliance
August 29, 2018
GDPR – persevere, your business will be the better for it
September 25, 2018
August 30, 2018

How to deal with a subject access request from a third party

An independent financial advisor client of Astrid’s recently received a subject access request. To make matters more complicated, the request came through a third party, a financial claims firm. We look at how to deal with a subject request from a third party and how to ensure that it’s a genuine data request.

The subject access request

The independent financial advisor received a subject access request - but not directly from their client. The request came from a financial claims firm on behalf of their client. This third party requested ‘all records’ that the IFA had on that client.

The letter looked legitimate and the claim company was registered on the Ministry of Justice financial claims database so it looked like it was a genuine subject access request to the IFA. On the other hand, the letter referred to older data protection law rather than the Data Protection Act 2018 (that incorporates the requirements of the General Data Protection Regulation). This raised concerns that the letter wasn't genuine. Was it a scammer trying to get information about a client?
sydney-rae-408416-unsplash (002)

How to respond to this subject access request

So what should a company do in this case?

    1. Treat the request as genuine until you can prove otherwise

    Always start with an identity check on the person whose data is in the subject request. You must be able to show that the person whose data is being sent is definitely the right person. Imagine sending a client's financial details only to find they didn't actually make the request!
    2. Prepare for the request to be genuine

    You have 30 days to find and provide the information requested. The Information Commissioners Office (ICO) expects organisations to respond promptly to subject access requests and meet the requirements of the request where possible (without breaching the privacy of others).

    While you're confirming that the request is genuine, make sure you're using the time appropriately to find their information. It's probably reasonable to ‘stop the clock’ while you're doing the ID check but if a legal claims firm is involved you don't want to give them further grounds for complaint or penalty.

No response on whether the subject request was genuine

In our IFA client's case, they received no response from their client confirming the request was genuine. They had effectively reached an impasse. To release personal data to a third party without a confirmed ID check would be a significant data breach. To not respond to the subject access request would not be compliant with GDPR.

The ICO's advice was, in this specific case, for the IFA to send the copies of the personal data to the client directly rather than to the third party (the IFA was able to identify the client and their current address). This way, the IFA would meet the requirements of the subject access request without risking a breach of confidentiality. Their client would then be able to review the information and choose to forward on the information to the third party if they so wished.

Further guidance on subject access requests

Astrid provides clear guidance and a simple template for companies to use when they receive subject access requests. It helps record the type of subject request received, guides users through the steps they need to take to respect the privacy of all individuals involved and records the outcome of the process. Subscribe today to download this handy template and get your GDPR compliance system up to scratch.


Protect your business - become and remain GDPR compliant with Astrid

 
Subscribe today
 
Share
Emma Oram
Emma Oram

Related posts

February 24, 2022

GDPR and CCTV cameras in vehicles – are you still compliant with data protection laws?

Read more

Leave a Reply Cancel reply

You must be logged in to post a comment.

Astrid Data Protection Ltd.

24 John Clare Close
Brackley
Northamptonshire
NN13 5GG

Useful links

  • Home
  • About us
  • Pricing
  • Services
  • Partners
  • Resources
  • Contact
  • Privacy notice
  • Cookie policy
Company number: 11166227 - ICO registration: ZA310233 - © 2018 Astrid Data Protection Ltd.
Astrid Data Protection Ltd uses cookies on this website. Some are essential, others improve functionality and track your use of the site to help us improve it. You can reject the functionality and tracking cookies using the Reject button. To find out more read our cookie policy. Accept Read More Reject
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT