It is important for employees within businesses to understand what information an individual is entitled to under the GDPR.
Like with many parts of GDPR legislation, individuals right of access was previously addressed, in part, by the Data Protection Act and isn’t completely new. However, there are a few changes within the GDPR legislation that will be replacing the Data Protection Act and therefore change how businesses share data with individuals that have requested it.
To summarise, under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
Why do we allow individuals the right to access their data?
The reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
What is a SAR?
A SAR is a Subject Access Request. This is essentially a request for personal information that your company may hold about an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. This can also mean electronically (e.g. by email). Where a request is made electronically, the information should be provided in a commonly-used electronic form, unless otherwise requested by the individual.
Can I charge a fee for dealing with a subject access request?
It’s not always simple to dish out data to the individuals that have requested it, which is why in the past, it has been acceptable to charge individuals an admin fee for requesting information.
Under GDPR legislation, you must provide a copy of the requested information free of charge. However, you can charge a ‘reasonable fee’ when a request is “manifestly unfounded” meaning that the request very obviously has no basis and is unjustified.
Reasonable fees can also be charged if the requests are excessive, “particularly if it is repetitive”.
The ICO explains that you may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.
The fee must be based on the administrative cost of providing the information.
How long do I get to send over the requested information?
Information must be provided without delay and at the latest within one month of receiving the request from the individual.
You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
What if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:
- Charge a reasonable fee, taking into account the administrative costs of providing the information
- Refuse to respond
Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
What is the best way to provide individuals with their data?
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well.
The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
This may have a significant effect on your organisation where you receive large volumes of requests and this may result in an increase in administrative costs on your organisation. At present there is insufficient guidance on what is meant by “manifestly unfounded or excessive” and therefore your organisation should approach this with some caution.
Does my company ever have the right to withhold requested personal data?
Under the GDPR, organisations can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’ It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security.
So what do I need to do now?
Having an effective procedure in place to deal with SARs will ensure that you are able to comply with the new reduced timescales.
- Staff email accounts that may be sent any SARs should be monitored when they are out of the office so that they are dealt with quickly and within the allowed time frame.
- Consider designing and employing template response letters so that you can ensure that all requirements of a response to a SAR are compliant with GDPR and are also responded to fast.
- Ensure that employees are trained in dealing with SARs and that they can recognise when an individual has made a SAR and how this is to be dealt with.
- It is always a good idea to implement the practices suggested by the ICO. Therefore, incorporating a ‘data subject access portal’ will allow an individual to access their information quickly easily and remotely.
Information taken from the official ICO website (www.ico.org.uk). We highly recommend to our readers and clients that everyone familiarises themselves with the descriptive and thorough content of GDPR guidelines using this link. Everything you need to know is on there