This blog post, the first in our GDPR Challenges series, will take you through everything that you need to know in order to effectively prepare and deliver any subject access requests your company receives after May 25th, 2018.
Data protection legislation makes it possible for any individual to request access to all personal information held on them by a company. However, as one of the core principles of the GDPR is right of access, it pays for you to understand what’s changing and how to manage a subject access request going forward.
At a Glance: Right of Access
Right of access is a core principle of the GDPR. Individuals have the right to access their personal data and supplementary information at any time. Under new GDPR guidelines, individuals will have the right to obtain:
- Confirmation that their data is being processed
- Confirmation on how and why their data is processed
- Access to their personal data at reasonable intervals
What is a Data Subject Access Request?
‘A subject should have the right of access to personal data which are collected concerning him or her, and to exercise that right easily and at reasonable intervals’ – GDPR Official Guidelines (Article 63)
A subject access request is how an individual asserts their right of access. While subject access requests are available under current data protection law, updates to what is considered ‘personal data’ mean that your company is potentially responsible for providing new information, such as biometrical and genetic data records.
The procedure for making and responding to a subject access request remains similar to most data protection laws. However, there are some key updates and changes which you should be aware of.
What counts as a valid Subject Access Request
In order for a subject access request to be valid it must be made in writing. However as this includes various digital and physical formats it’s useful to understand what does or does not count as valid.
- Under the GDPR it is possible for an individual to make a subject access request on social channels, such as Twitter or Facebook or via email. You must treat these applications as valid and respond to the individual within the 30 day timescale.
- A request sent via fax is considered to be a valid hard copy.
- If a written request fails to mention that it is a subject access request, but it is clear that the individual is asking for their own personal data, it is still valid and should be treated as such.
- Similarly, a Subject Access Request is considered valid, even when it has not been sent to the person in your company who usually deals with this kind of request.
- A verbal request is considered valid in most cases. However, you are obliged to validate a person’s identity (which often involves a copy of a passport or similar) so some written record will be necessary going forward.
As with any request of this nature, there are always exemptions to what is considered valid. For example, if a disabled person is unable to make a subject request in writing, you make have to make adjustment for them under the Equality Act 2010 (Disability Discrimination Act 1995- Northern Ireland). You may also have to make a similar provision to the format: Braille, audio transcribed, large print etc. Failure to make provision may not put you at risk of GDPR non-compliance, but will certainly put at risk of a claim under the Equality Act.
What information should a subject access request contain?
At first glance, it may appear that you have to include everything your company holds on an individual. And while, in many cases, this may be true, there are some important exceptions. Let’s begin with what information you should include in a subject access request:
It is important that a subject access request details:
- Confirmation that you are processing their personal data
- A copy of that personal data
- Any other supplementary information (largely provided in the privacy notice) – this includes:
- The purpose of the processing
- Categories of data processed
- Categories of recipients of the data or to whom it is disclosed/accessed
- The safeguards provided if the data is transferred to a third country or international organisation
- How long you intend to keep it for (of if not possible the criteria used to determine this period)
- The source of the data (if not collected directly from them)
- Where decisions are made from any automated processing, the logic involved and envisaged consequences
- The existence of the individual’s rights (rectification, erasure, restriction, objection)
- The right to appeal or lodge a complaint with the ICO
But is there any personal information you are not obliged to provide? The short answer is yes. Your company has the right to withhold information that would compromise or reveal:
- The personal data of another individual
- Intellectual property
- Trade secrets.
There may be times when responding to a Subject Access Request would mean you have to disclose the personal information of another person. In most cases, as mentioned above, you do not need to include this information except where:
- The other individual has consented to the disclosure; or
- It is reasonable in all the circumstances to comply with the request without that individual’s consent.
The GDPR regulations recognise that completing while Right of Access is fundamental, companies should not be expected to provide information simply because an individual is interested in it. Unless they are acting on behalf of another person, an individual is only entitled to see their own personal data.
You must establish whether the information requested falls under the definition of ‘personal data’. If it does not, you are not obligated to respond to the subject access request.
Keep in mind that this does not exempt your company from providing any information to the individual making a subject access request. You are obligated to provide as much information as possible when an individual makes a subject access request. Which is why it is important to understand exactly what information your company holds as well as developing a clear data management strategy. However, if you hold a large amount of data, you can ask the individual to specify the information or processing activities their request relates to in order to reduce the workload (but there’s no exemption to providing large volumes of data if that’s what they want).
How long do I have to respond?
First of all, the time you have to respond to a subject access request is reduced. Under the GDPR this reduced to 30 days in most cases.
It is possible to gain an extension to this timescale if the request is deemed complex, or numerous. Although the official GDPR guidelines state that ‘The controller should be prepared to make extensive efforts to find and retrieve requested information.’ This means that your company cannot refuse to grant access to personal information simply because it might be hard to find.
Additionally, to aid your company in preparing a subject access request, GDPR guidelines state that ‘the controller should be able to request that […] the data subject specify information or processing activities to which the request relates.’
What format do I need to respond in?
You must provide a copy of the information to the individual in an easy to access format. GDPR guidelines state that ‘the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.’ Another update to current guidelines is that, if the individual makes the request digitally, the response must be provided in a commonly used digital format.
It is important to develop a process for responding to subject access requests efficiently. The first step is to understand the data that you hold, and where it is stored. This will be covered in more depth below.
Can I charge for a Subject Access Request?
The short answer to this is no. Under the GDPR it is important that you provide any information in a subject access request for free. Of course, as with most regulatory changes, the reality is a little more complicated.
Where a request can be legitimately termed ‘manifestly unfounded, or excessive’ it is possible for your company to charge a ‘reasonable fee’. This particularly applies to repetitive requests and (occasionally) to further copies. However, this does not apply to a subject access request that is made after a reasonable interval.
Again, it pays to have an efficient process in place for dealing with subject access requests since they can be time consuming and put your company at risk of non-compliance and significant fines if you fail to deliver within the expected timescales.
How do I make sure I have located all the data necessary for a Subject Access Request?
To make sure that you are prepared for subject access requests, it is vital that you have your data in order. It’s thought around 80-90% of corporate data is unstructured. So, the difficulty is knowing what this information is, why it was created, what it contains and perhaps, most importantly, what value it holds for the business. All things that are crucial to ensuring a successful subject access request response.
At Automated Intelligence we specialise in helping organisations take control of their unstructured data. Our ground-breaking solution GDPR powered by AI.DATALIFT, can analyse what data is being stored and intelligently migrate it to the appropriate cloud-based ECM and cloud storage platforms. Once organised, it can help companies gain intelligent insights into their data.
Arrange a free demo of GDPR powered by AI.DATALIFT via the form below, to see how it can help your organisation respond effectively to subject access requests.