Right of data subjects under GDPR (Part 1) – Data subject access requests
Data protection legislation grants individuals a wide array of rights that can be enforced against organisations that process their personal data. These rights may limit the ability of organisations lawfully to process the personal data of data subjects, and in some cases prevent processing altogether.
This month’s blog will look at the rights of access and portability. Next month we will consider rights of rectification, restricting processing and the so called ‘right to be forgotten’.
Subject Access Request (SAR)
A SAR is a request by an individual for a copy of personal information that your organisation may hold about them. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data.
Under the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data is being processed. They are also entitled to be provided with:
- the reasons why their data is being processed;
- the description of the personal data concerning them;
- anyone who has received or will receive their personal data; and
- details of the source of their data, if it was not collected from them.
If an individual wishes to exercise their subject access right, the request must be made in writing and the organisation is entitled to charge a fee of £10. The organisation has 40 days from receipt of a valid request to respond.
How will this change under GDPR?
Responding to a SAR under the GDPR is similar to that under the DPA albeit with some key changes as set out below:
- Time to respond: you must respond to a SAR within a month (although there is a possibility to extend this period for particularly complex requests);
- Fee: you may not charge for complying with a request unless the request is ‘manifestly unfounded or excessive’. However, you may charge a reasonable administrative fee for multiple requests;
- Excessive requests: if you are refusing a request or making a charge on the basis that the request is ‘manifestly unfounded or excessive’ you must provide evidence as to how the conclusion that the request is manifestly unfounded or excessive was reached. At present there is very little guidance on what is meant by ‘manifestly unfounded or excessive’ and therefore your organisation should approach this with some caution;
- Content of response: the individual is entitled to know what information is held about them and what processing is being carried out. In responding to a request, you may need to provide further information such as the relevant data retention period and the right to have inaccurate data corrected;
- Electronic access: it must be possible to make requests electronically (eg by email). In responding to a request that is made electronically, the information should be provided in a commonly-used electronic form, unless otherwise requested by the individual. The data controller must verify the individual’s identity prior to granting access to information; and
- Right to withhold: you may withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’. This mirrors the current position under the DPA. The recitals to the GDPR note that this could extend to intellectual property rights and trade secrets. It is open to member states to introduce further exemptions, such as national security or legal privilege.
How will this affect your business?
If you handle a large number of SARs, the impact of the changes could be considerable and may increase the administrative costs considerably.
In particular, requests must be dealt with more quickly. And with no right to make a charge, it will not be possible to ‘stop the clock’. Having an effective procedure in place will ensure that you are able to comply with the new reduced timescales.
What steps to take to prepare?
- Update your procedures and plan how you will handle SARs and provide the additional information within the new timescales;
- Ensure that employees are trained in dealing with SARs and that they can recognise when an individual has made a SAR and how this is to be dealt with;
- If staff have personal email accounts where a SAR could be made to, ensure that these can be monitored when the member of staff is out of the office to ensure that SARs are not overlooked;
- Assess your organisation’s ability to quickly isolate data pertaining to a specific individual and to provide data in compliance with the GDPR’s format obligations;
- Design and maintain template response letters to ensure that all elements of a response to a SAR under the GDPR are being complied with; and
- Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online (and minimising your costs dealing with the SAR).
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Individuals must be able to transfer personal data easily from one IT environment / service provider to another in a safe and secure way, without hindrance to usability.
The right to data portability only applies:
- to information which the individual has provided to a controller;
- where the lawful basis for processing is consent or for the performance of a contract; and
- when processing is carried out by automated means.
How do I comply?
- You must respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. If an extension is required, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary;
- You must provide the personal data in a structured, commonly used and machine readable form. (Machine readable means that the information is structured so that software can extract specific elements of the data, this enables other organisations to use the data);
- The information must be provided free of charge;
- If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations;
- If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual; and
- Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.