An individual’s right to know where and how their personal data is being used has always been an important part of data protection laws, and this hasn’t changed under the GDPR. An individual still has the same right to make ‘subject access requests’, and businesses have an obligation to respond. But the process has become rather more complex than it ever was before.
Under the GDPR:
An individual is entitled to:
- be informed whether the data controller is processing any of their personal data;
- receive a description of the personal data being processed, why it is being processed, and to whom the personal data has been or may be disclosed;
- to be informed where the personal data was originally collected from (if not from the individual directly);
- to be informed how long the personal data will be processed;
- be notified of their right to complain to the Information Commissioner;
- be notified that they have certain rights under the GDPR (including the right to be forgotten and the right to have inaccurate data rectified);
- be informed whether their personal data is used in any automated decision-making process;
- be informed of any appropriate safeguards in place where their personal data is transferred out of the UK;
- receive a copy of that personal data in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
What Does the GDPR Definition Really Mean?
The underlying principle is no different under the GDPR that it was under the previous data protection regime– it’s simply the case that the amount of information that must be disclosed to the individual is now substantially greater.
What Does the GDPR Require?
Under the GDPR:
- all requests must be dealt with free-of-charge unless the request is ‘manifestly unfounded or excessive’;
- the response to a request must be given ‘without undue delay’, but within 1 month of the request - that period can be extended to 2 months in particularly complex situations;
- where a request has been made by electronic means, the response to the request must also be given electronically (in all other cases, the response must be given in writing unless the individual requests otherwise)
Under the previous data protection regime, a data controller could refuse a request where disclosure of any personal data would also disclose information relating to another person, unless that other person had given their consent. The GDPR allows the data controller to refuse a request only where it cannot reasonably identify the individual making the request.
What Effect Has This Had on UK Businesses?
In order to respond fully to subject access requests, businesses must ensure their record-keeping is comprehensive and up-to-date – how else is a business going to be able to tell an individual where their personal data was originally collected from?
We have seen an increase in the number of subject access requests being made by individuals, particularly where an individual is in dispute with the business, based on the increased time/effort needed to respond. As a result, businesses have been more inclined to settle disputes than deal with requests. Since the GDPR’s implementation, many businesses have expressed concerns regarding their ability to process subject access requests as and when they receive them, not only from a volume standpoint but in terms of actually locating and providing the requested data.
What Should my Business be Doing?
If you have not done so already, revise your business’s data protection policy to include a process for identifying and dealing with subject access requests to ensure each and every one is recorded and responded to fully. Ensure the policy identifies one or more members of staff who are primarily responsible for responding to requests to ensure each and every one is dealt with in accordance with the GDPR.
Also ensure that, wherever personal data is processed within your business, that you have comprehensive and up-to-date records including (as an absolute minimum) the information that you would be required to disclose if you were ever to receive a subject access request in relation to that data.