In part two of our series on GDPR, Pearl Moses, Head of Risk and Compliance, Law Society, looks at the new requirement of data subject access requests and how to manage them.
The procedure for making and responding to subject access requests remains similar to the current data protection laws, but the General Data Protection Regulation (GDPR) introduces some changes.
1. What information is an individual entitled to under the GDPR?
Under article 15 of the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- supplementary information about the processing of their data.
This is not dissimilar to the current provisions under the Data Protection Act 1998 (DPA) but there are some key differences concerning time limits, charging for requests and provisions relating to electronic access.
2. Can I charge for any information requested?
Under the current DPA a charge of £10 is permitted but the GDPR clearly states that in most circumstances subjects must be provided with a copy of the information they request free of charge. Allowance is made for charging a ‘reasonable fee’ when a request is manifestly unfounded, excessive or repetitive. The fee must be based on the administrative cost of providing the information.
You can refuse to reply to excessive, unfounded or repetitive requests but if you do so you must explain to the individual why you’re refusing and let them know of their right to appeal to the Information Commissioner’s Office (ICO).
3. How much time do I have to respond?
The Regulation states that that information must be provided without delay and within at least one month of receiving the request. Where requests are complex or numerous, you will be able to extend the deadline for providing the information to three months but you must still respond to the request within a month, explaining why the extension is necessary.
4. How should the information be provided?
You must provide data subjects with the option of making requests electronically (eg by email) as well as physically (by letter). Where a request is made electronically, the information must be provided in a commonly used file format. You should bear in mind that the confidentiality of the information you hold is your most important consideration so it is essential that you verify the identity of the person making the request and ensure that the data being disclosed is the correct data.
5. What can I do to prepare?
The changes to the rules regarding subject access requests mean that organisations will have to deal with requests more quickly and provide individuals with additional information. This, along with the fact that in most instances information must now be provided for free, means that organisations must dedicate more resources to responding to subject access requests.
- Update your procedures to ensure you can handle requests and provide any additional information within the new timescales.
- Develop template response letters to ensure that all elements of a response to an access request are being complied with.
- Ensure your firm can isolate data pertaining to a specific individual and provide data in compliance with the GDPR’s format obligations.
- Identify the members of staff that will be managing the request process and ensure that they are trained to recognise and respond appropriately to subject access requests.
These initial steps are just the starting point on what, for many firms, is likely to be a long journey. However, the clock is ticking. The Law Society and the Risk and Compliance Service have resources that will keep you informed and up-to-date, and our Advisory Service can help you to develop and implement your own approach.
Book a diagnostic session with us via email or ring us on 0207 316 5655.