Individuals have a right to access their personal data through Subject Access Requests (SAR), which are written, signed requests from individuals to access the data you hold on them. The GDPR makes the following changes to the data access and the SAR regime:
An organisation will not be able to charge for complying with a request unless the request is ‘manifestly unfounded or excessive’. The data controller may charge a reasonable administrative-cost fee if further copies are requested.
If a request is ‘manifestly unfounded or excessive’, the data controller can charge a fee or refuse to respond. In this situation the data controller must be able to provide evidence of why the request is ‘manifestly unfounded or excessive’.
It must be possible to make requests electronically, such as over email. When a request is made electronically, the information should be provided in a commonly-used electronic form, unless otherwise requested by the individual.
Content of Response
The request should allow the individual to know what information is held about them and what processing is being carried out. In responding to a request, data controllers may need to provide further information such as the relevant data retention period and the right to have inaccurate data corrected.
Time to Respond
The data controller must respond to these requests within a month, with a possibility to extend this period for particularly complex requests. Under the Data Protection Act (DPA), the response time is 40 days.
Right to Withhold
Data controllers can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’. This is reflective of the current position under the DPA. The recitals to the GDPR note that this could extend to intellectual property rights and trade secrets. Member States may introduce further examples such as legal privilege.
How does this impact your business?
It will generally be free for individuals to make SARs and individuals will be entitled to receive the information in an electronic format. Therefore, you will need to set up processes to ensure your business can handle an increase in SAR and respond within the 30-day timeframe required by the GDPR. Also, your business will have to deal with requests more quickly, as well as providing additional information.
What actions should you take to prepare?
Update your procedures and plan how you will handle SARs and provide any additional information within the new timescales.
Develop template response letters to ensure that all elements of a response to a SAR is GDPR compliant.
Assess your business’s ability to quickly isolate data belonging to a specific individual and to provide data in compliance with the GDPR’s format obligations.
Ensure that employees are trained to quickly recognise and response appropriately to SARs.
Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online and minimising cost for the data controller dealing with the SAR.