#AtoZofGDPR - A is for Access
There are a number of new and updated rights that came into force with the GDPR. The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It is important that organisations and their employees are trained to recognise when a data subject invokes their right to access their data via a subject access request. It can help individuals to understand how and why you are using their data, and check you are doing it lawfully.
Article 15 deals with the “Rights of access by the data subject”
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
The GDPR is big news because it can't be business as usual for any type of company or public sector body after May 2018.
If it is business as usual after that point, there will be consequences for companies and organisations, whether they are big or small, public or private, and those consequences will be very significant.
Under previous data protection legislation, organisations were able to charge a small fee for providing the information to the data subjects. Under the GDPR this has changed and the data controller MUST provide a copy of the information free of charge. However, if further copies of the same information are requested by the data subject, the controller may request the payment of a reasonable fee..
In addition, under the GDPR the timescale for responding to a subject access request has been reduced to 30 calendar days down from 40 days.
So, what can you do to handle Subject Access Requests efficiently?
- Don’t ignore. This could lead to financial penalties, enforcement action, legal proceedings. The DPC hasn't yet handed out any significant fines but the biggest threat to your organisation is a damaged reputation.
- Identify the data subject. It is important to identify that the person requesting the information is who they claim to be. It is not good practise to request an unreasonable list of documents / data to verify the data subject so follow the minimisation principal. In addition, you cannot collect data just in case!
- Don’t delay. Dealing with an SAR is time consuming so engage the appropriate personnel and start locating the information as soon as you receive an SAR.
- Liaise with the data subject. Most subject access requests will be logged by someone who is unhappy. Picking up the phone a talking to them can go some way to mitigating adverse consequences further down the line.
- Locate the personal data. Consider electronic systems and manual filing systems, back up data and any third party data processors (e.g. payroll and benefit providers) who may also hold relevant personal data. Your data mapping document should help you locate the data.
- Redact information relating to third party individuals unless you have their consent or it is reasonable in all the circumstances to provide that information.
- Consider whether an exemption applies where the data would be exempt from disclosure.
- Respond to the request within the timeframe, provide copies of the relevant data and explain if and why you are relying on any of the exemptions.