Dealing with subject access requests under GDPR

Under the new General Data Protection Regulation (“GDPR”), which will come into force on 25 May 2018, individuals will benefit from heightened rights in terms of their ability to request and access personal data from any entities holding such data about them.

All of the rights from the current Data Protection Act 1998 (“DPA”) will remain in place. Other rights, however, are novel or enhanced to react to the developments in the digital age. For example, if an individual makes their request electronically, an organisation should provide the information in an electronic format. Furthermore, the GDPR introduces a best practice recommendation that where possible organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to their information. Whilst this may not be appropriate for all organisations this gives an indication of what is being expected under the new GDPR regime.

Fees

One key change relates to the fee; in most cases organisations will no longer be able to charge the individual for the administrative costs of finding, gathering and disclosing data to the individual unless the individual’s request is “manifestly unfounded or excessive” (which is expected to be a high threshold to satisfy). An example of a scenario where a fee could be charged is if a request is repetitive or if additional copies of the data are requested.

This change is likely to cause a hit to employers and other organisations. Whilst the current fee may not cover the entire expense involved in responding to a request, at least it does go some way to minimising the financial impact to the business in carrying out its obligations. Businesses may, under the GDPR, find their budgets and resources dented further due to these new obligations. However, if the Subject Access Request is either unfounded, excessive or repetitive an Organisation may be able to charge for dealing with the request by levying a “reasonable fee” (which is not defined) to take into account the administrative costs of providing the information.

Timing

Timing will be another vital difference. Currently, organisations have a deadline of 40 days to respond to a Data Subject Access Request. Come May 2018 however, information must be provided to the individual without delay, and at the latest, within one month of receipt of the request.

Though not an extensive difference in timing on the face of it, businesses may find that their already limited resources are stretched further if we do see an influx of requests under the new regulation. With many organisations already finding the current response timescale onerous, this reduction in response time is likely to cause an anxious stir among the HR world.

The new rules do give some breathing space for organisations in that they can extend the deadline by a further two months where the individual’s requests are complex or numerous. If this is done, the organisation must notify the individual of this within a month of receipt of the request, providing its reasons for the delay.

Unfounded and excessive requests

In addition to being able to charge the individual if their request is unfounded and/or excessive (for example if there is repetition in the request), organisations may outright refuse to respond to the request. If they choose to do this, however, reasons for the refusal must be given to the individual. The individual will also need to be informed of their right to complain to the relevant supervisory authority (which will be the Information Commissioners Office) and of their right to a judicial remedy. Both the reasons for refusal and the advising of the right to complain should be put to the individual without undue delay and, at the very latest, within one month of the request.

It is not yet certain how easy it will be for businesses to be able to rely on the unfounded and/or excessive exception. Given, however, that the purpose for allowing individuals to access their personal data (which is a fundamental right) is to be able to verify the lawfulness of its processing, it is highly unlikely that organisations will be able to avoid their responsibilities in providing data in response to a valid request.

Where an organisation processes a vast quantity of information about an individual, it may ask that individual to clarify what particular information they are referring to in the request. The organisation should then be able to consider whether the scale of the information requested is ‘unfounded’ and/or ‘excessive’ and react to the request accordingly.

The fundamental structure and procedure for making and responding to subject access requests will, on the whole, remain the same as under the DPA regime. Nevertheless, many of the above changes may cause a bigger-than-anticipated effect on a business’ finances and people-power. Early preparation for dealing with these changes should therefore be a forefront consideration for organisations in anticipation of May 2018.

 

By Richard Thomas, employment lawyer and partner at Capital Law.


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.