GDPR Blog Week 3: Subject Access Requests
One area that we expect to flare up following the GDPR’s implementation is data access requests by individuals who want to know what information is held about them.
There has been a mechanism under the DPA 1998 for individuals to access this information but this must now be done with tighter timescales so a streamlined approach from the point of inception is recommended.
In terms of timescales, the 40-day period to respond has been reduced to 1 calendar month. This is the maximum time, however, and the GDPR states that the relevant information must be provided without delay. If the scope of the request is too wide, or undefined, then clarification of the information sought should be made, again, with one eye on timescales.
I should mention here that it remains the data controller who is responsible for fulfilling a request from an individual. The role of a data processor here would be to assist the data controller with the data subject access request and they would be bound under the terms of the contract with the data controller to facilitate this request. This, of course, erodes the time you have, so it is important to act on a request once it is received.
The fee of £10 that could be charged under the old legislation has been removed and the cost of responding to a request must now be borne by the data controller. As you might anticipate, there are some exceptions to this rule, for example, when a request is “manifestly unfounded, excessive or repetitive”. In such circumstances, you can ask for a reasonable administrative fee or even refuse a request but you should ensure you explain this in writing and have a robust audit trail to support this action. It is never an option to simply ignore a subject access request.
If you do refuse a request, you will also need to advise the data subject of their right to complain to the ICO (Information Commissioner’s Office), the UK’s regulatory authority.
My advice would be to put in place a policy for addressing subject access requests now, compile a suite of standard letters and designate points of contact within your organisation to collate the data requested. That way, a request can be dealt with efficiently, economically and with accountability.
Please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Responsibility and the role of a Data Protection Officer in your business or organisation. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.