The right of individuals to access their personal data is one of the most important principles of data protection law. Already, European citizens have the right to know whether or not organisations hold data on them and what that data is for. There is also a broad requirement on controllers to supply copies of that data when requested.
The General Data Protection Regulation (GDPR) takes things further. For individuals, the new law strengthens existing access rights and aims to make it easier for people to exercise them. For you, it demands a fresh look at your ability to respond to requests. Would your people recognise a “data access request” when it arrives? Can you respond to it with the minimum of disruption, whilst staying on the right side of the law?
As we’ll show you, with a good grasp of the law, suitable procedures and equipped with the right toolkit, you should have everything you need to take data subject access in your stride.
Subject access: what information must your organisation provide to individuals?
As a starting point, individuals are entitled to confirmation of whether you are processing their data. Bear in mind that “processing” is a wide term (further info is available for you in our GDPR definitions guide).
If you are processing their data, those individuals are entitled to the following information from you:
- The reason why you need the data (i.e. the purpose of the processing)
- The categories of data – e.g. customer account or HR records
- How long the data will be stored
- Details of third parties to whom the data will be disclosed (e.g. storage service providers)
- Important data rights information. You must confirm that data subjects are entitled to ask you for “data rectification” if the information you hold is inaccurate. You must also make it clear that they are entitled to withdraw consent to the processing if they so wish, and that they have the right to make a complaint to the data regulator if they believe data is being processed unlawfully.
- Confirmation as to whether data is being used for “automated decision making” (e.g. using software for personalised price setting).
Data subjects can also ask for a copy of the data you hold on them. Under the old rules, you could generally charge an admin fee for supplying information and copy data. Now, the GDPR stipulates that a copy of the data must be provided for free – although it is possible to levy a charge where multiple requests are made for the same data. You must respond to the request within a month, although this can be extended if it’s a complicated request involving lots of data.
For individuals, gaining access to their data can often be the first step; it allows them to see what data is held on them – and how it’s used. The next step might be to exercise other important rights which the GDPR gives individuals:
- The right to be informed
- The right to rectification (data correction)
- The right to erasure
- The right to object to processing and to request that it is restricted
- The right not to be evaluated solely based on automated decision making and the right in relation to profiling.
For a thorough understanding of these rights, check out our information hub.
How to handle SARs
If you are unwilling or unable to respond to SARs on time or at all, it opens up the possibility of complaints against you to the regulator. This can lead to an investigation of your data management procedures by the ICO – and possibly even a fine (you can learn more about GDPR penalties on our blog, here).
Accurate, up-to-date information about your customers is essential for delivering a great service. Achieving this can often be so much easier if those customers are able to view, check and tell you about anything that needs changing, or even amend key data themselves. So quite apart from the threat of sanctions, making data access easy can make great business sense.
For better data access, pay special attention to the following:
Consider a self service approach to data access
Ideally, exercising data rights shouldn’t be a complicated process. This is why GDPR encourages firms to have a suitable mechanism in place, possibly with a self-service element, to make SARs easier.
To take the example of an online business, this might consist of a secure portal where customers can view a data summary, and can then download or print out copies of their data.
Proformas and electronic access
Where a request is made electronically, GDPR stipulates that it should be responded to electronically, too. A self-service data portal won’t be practical for all businesses, but you might want to consider drafting templates for responding to requests. This would include separate fields for the category type, anticipated date of deletion and the other points detailed above.
For hard paper records as well as your IT systems, a reorganisation of your customer and HR files might also be a good idea. This should let you identify and get your hands on all the data relating to an individual if he or she submits a request, quickly and easily.
Bringing it all together with The Privacy Compliance Hub
The right to access is often a gateway to other GDPR rights. Having obtained a birds-eye view of their data, individuals might ask you to make changes, to stop or alter the data processing – or perhaps even send it to someone else. These are all vital elements of GDPR compliance.
The Privacy Compliance Hub helps you bring all of them together. It’s a one-stop portal of the tools, templates, reports and processes your business needs to ensure that you can handle all data-related queries with ease – including, SARs no matter how complex. Ready to find out how it works? Ask for a free demo – or speak to us today.