An individual’s right to know where and how their personal data is being used has always been an important part of data protection laws, and this hasn’t changed under the GDPR. An individual still has the same right to make ‘subject access requests’, and businesses have an obligation to respond. But the process has become rather more complex than it ever was before.
Under the GDPR:
An individual is entitled to:
- be informed whether the data controller is processing any of their personal data;
- receive a description of the personal data being processed, why it is being processed, and to whom the personal data has been or may be disclosed;
- to be informed where the personal data was originally collected from (if not from the individual directly);
- to be informed how long the personal data will be processed;
- be notified of their right to complain to the Information Commissioner;
- be notified that they have certain rights under the GDPR (including the right to be forgotten and the right to have inaccurate data rectified);
- be informed whether their personal data is used in any automated decision-making process;
- be informed of any appropriate safeguards in place where their personal data is transferred out of the UK;
- receive a copy of that personal data in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
What does the GDPR definition really mean?
The underlying principle is no different under the GDPR that it was under the previous data protection regime– it’s simply the case that the amount of information that must be disclosed to the individual is now substantially greater.
What does the GDPR require?
Under the GDPR:
- all requests must be dealt with free-of-charge unless the request is ‘manifestly unfounded or excessive’;
- the response to a request must be given ‘without undue delay’, but within 1 month of the request - that period can be extended to 2 months in particularly complex situations;
- where a request has been made by electronic means, the response to the request must also be given electronically (in all other cases, the response must be given in writing unless the individual requests otherwise)
Under the previous data protection regime, a data controller could refuse a request where disclosure of any personal data would also disclose information relating to another person, unless that other person had given their consent. The GDPR allows the data controller to refuse a request only where it cannot reasonably identify the individual making the request.
What effect has this had on UK businesses?
In order to respond fully to subject access requests, businesses must ensure their record-keeping is comprehensive and up-to-date – how else is a business going to be able to tell an individual where their personal data was originally collected from?
We have seen an increase in the number of subject access requests being made by individuals, particularly where an individual is in dispute with the business, based on the increased time/effort needed to respond. As a result, businesses have been more inclined to settle disputes than deal with requests. Since the GDPR’s implementation, many businesses have expressed concerns regarding their ability to process subject access requests as and when they receive them, not only from a volume standpoint but in terms of actually locating and providing the requested data.
What should my business be doing?
If you have not done so already, revise your business’s data protection policy to include a process for identifying and dealing with subject access requests to ensure each and every one is recorded and responded to fully. Ensure the policy identifies one or more members of staff who are primarily responsible for responding to requests to ensure each and every one is dealt with in accordance with the GDPR.
Also ensure that, wherever personal data is processed within your business, that you have comprehensive and up-to-date records including (as an absolute minimum) the information that you would be required to disclose if you were ever to receive a subject access request in relation to that data.
So if I receive a request from somebody, I will have a month to reply?
No. You must respond ‘without undue delay’, and hence if it was reasonable for you to gather the information and respond more quickly, you must do so. The one-month period is the absolute deadline. However, if the request is complex, then you can (within that one-month period) explain to the individual why you need more time, and you then have an additional month in which to respond. The ICO has recently confirmed that time starts running from the day the access request is received by the controller.
And I can no longer charge £10 for responding?
No, definitely not. Where the request is ‘manifestly unfounded or excessive’, perhaps because of a number of repetitive requests, then you are entitled to either refuse to respond or, if you do respond, charge a reasonable fee to cover your administrative costs. But otherwise, you must deal with all requests free-of-charge.
What if I’m not convinced the individual making the request is who he says he is?
If you are not in a position to identify the individual making the request, then you do not have to respond to the request. However, the onus is on you to prove that the individual’s identity is in doubt, and you will be expected to ask the individual to confirm their identity before refusing to respond.
But I have absolutely no idea where the data I’m processing came from originally because it’s so old – what can I do?
If you receive a subject access request in relation to that data, and it is classed as personal data, then you are required to inform the individual of any available information as to its original source. If you genuinely don’t know, and cannot reasonably find out, then you must explain that to the individual.
I’ve really got to tell the individual that he has a right to complain about my business?
Yes. If you receive a subject access request, you must inform them that they have a right to complain to the Information Commissioner about your business if they believe you have failed to comply with the GDPR.
What about subject access requests received from my current employees?
At the moment, they are treated no differently, and you would be required to respond in precisely the same way.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Information Commissioner means the regulatory authority that is tasked with policing the use, storage, transmission and processing of personal data in the UK, including preparing UK businesses for the introduction of the GDPR.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.