In part two of our series on GDPR, Pearl Moses, Head of Risk and Compliance, Law Society, looks at the new requirement of data subject access requests and how to manage them.
The procedure for making and responding to subject access requests remains similar to the current data protection laws, but the General Data Protection Regulation (GDPR) introduces some changes.
Under article 15 of the GDPR, individuals will have the right to obtain:
This is not dissimilar to the current provisions under the Data Protection Act 1998 (DPA) but there are some key differences concerning time limits, charging for requests and provisions relating to electronic access.
Under the current DPA a charge of £10 is permitted but the GDPR clearly states that in most circumstances subjects must be provided with a copy of the information they request free of charge. Allowance is made for charging a ‘reasonable fee’ when a request is manifestly unfounded, excessive or repetitive. The fee must be based on the administrative cost of providing the information.
You can refuse to reply to excessive, unfounded or repetitive requests but if you do so you must explain to the individual why you’re refusing and let them know of their right to appeal to the Information Commissioner’s Office (ICO).
The Regulation states that that information must be provided without delay and within at least one month of receiving the request. Where requests are complex or numerous, you will be able to extend the deadline for providing the information to three months but you must still respond to the request within a month, explaining why the extension is necessary.
You must provide data subjects with the option of making requests electronically (eg by email) as well as physically (by letter). Where a request is made electronically, the information must be provided in a commonly used file format. You should bear in mind that the confidentiality of the information you hold is your most important consideration so it is essential that you verify the identity of the person making the request and ensure that the data being disclosed is the correct data.
The changes to the rules regarding subject access requests mean that organisations will have to deal with requests more quickly and provide individuals with additional information. This, along with the fact that in most instances information must now be provided for free, means that organisations must dedicate more resources to responding to subject access requests.
These initial steps are just the starting point on what, for many firms, is likely to be a long journey. However, the clock is ticking. The Law Society and the Risk and Compliance Service have resources that will keep you informed and up-to-date, and our Advisory Service can help you to develop and implement your own approach.
Book a diagnostic session with us via email or ring us on 0207 316 5655.