With the UK GDPR giving individuals more control over their data, your business faces a greater responsibility to make that data accessible and tougher penalties for failing to comply with Data Subject Access Requests
For many businesses, the arrival of post-Brexit UK GDPR created a false sense of security. With updated consent policies, upgraded cybersecurity and a sufficiently trained workforce, it was easy to succumb to the idea that this meant job done, boxes ticked, and continue business as usual.
The truth, however, is that achieving baseline compliance by January 1st 2021, was challenging for many. For any organisation, the long-term commitment to meeting regulatory requirements means responding swiftly and effectively- too many data-related events.
Responding not only to data breaches but also to the right to be forgotten requests and data subject access requests, or DSARs if you prefer.
We’ve been working with several leading businesses across the UK, empowering them with the tools, strategies, and outsourced services they need to manage such requests without impacting their business as usual.
Here, we answer your key questions about DSARs and what you need to do to remain UK GDPR compliant.
Controller Obligations
Under the UK GDPR, you must respond to requests immediately, without delay and within one calendar month.
Recital 59 of the GDPR also states:
“The controller should provide a means for requests to be submitted electronically, especially where personal data are processed by electronic means.”
In other words, if you have previously only taken access requirements via formal letter, you’ll now need to implement an electronic system, whether a form on your website, a specific email address or any other suitable method.
It’s worth noting, however, that individuals don’t necessarily have to use that system to make a request.
What Constitutes a DSAR?
Under GDPR, an individual can make a subject access request using any available method, including:
a: Verbally in person
b: Over the phone
c: In a written letter
d: Via your website
e: Via email
f: Via social media.
There is no formal way to make a request, so the individual doesn’t necessarily have to use the terms “subject access request,” “DSAR,” “Article 15,” or anything else, as long as it is clear that they are requesting their data.
Furthermore, requests can be made to anyone within your organisation. That means that if someone verbally asks one of your frontline staff in person, this request is just as valid as a formal letter, email, or completed form.
Therefore, now might be an opportune time to revisit any recent EU GDPR training you’ve provided to your workforce.
Ensure that anyone regularly dealing with customers, employees, vendors, etc. receives training to identify a DSAR and that request is handled by whatever internal response process you have in place.
What Information Can An Individual Request?
Article 15 of GDPR covers the “right of access by the data subject.”
It states:
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are processed and, where that is the case, access to the personal data and the following information:
1: The purposes of processing
2: The categories of personal data concerned
3: The recipients or categories of recipients to whom the data has been (or will be) disclosed, particularly recipients in third countries or international organisations.
4: Where possible, the envisaged period the controller will store the data, or, if not possible, the criteria used to determine that period.
Rectification or Erasure
The right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject or to object to such processing
Where the personal data is not collected from the data subject, any available information as to their source
Automatic Processing
The existence of automated decision-making, including profiling, is referred to in Articles 22(1) and (4). The logic involved, as well as The significance and the envisaged consequences of such processing for the data subject.”
Suppose personal data is transferred to a third party or international organisation. In this case, the right to be informed of the appropriate safeguards to protect that data.
All this means is that if you hold data about an individual who makes a DSAR request, you are obligated to provide them with a copy of the data and all supplementary information relating to how it is used.
What Do I Need to Know About Providing a Response to a DSAR Request?
According to the ICO, the information you provide to an individual must be in a “transparent, intelligible and easily accessible form, using clear and plain language.”
For example, if your business uses particular codes for different data categories, you must provide a clear, legible explanation of what these codes mean.
If the request is received electronically, Article 15 states, “unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
Meanwhile, Recital 63 recommends a best practice solution of creating remote access to a secure system where individuals can directly access the data you hold about them. However, remember that you shouldn’t do this if doing so could jeopardise the freedom of others, including trade secrets and intellectual property.
Fulfilment
Remember that you have no more than one month to respond, starting from the day after the request is received, regardless of whether that is a working day. In other words, if you receive a request on July 1st, the clock starts ticking on July 2nd, and you have until August 2nd to comply with that request.
Can I Extend the Amount of Time for Providing the Requested Information?
In most cases, though, as with everything in life, there are exceptional circumstances.
It is possible to extend the time to reply if the actual request is unduly complex or if the individual has made several requests.
Therefore, the ICO states that it is unlikely to view an extension as reasonable under the following circumstances:
The request is “manifestly unfounded or excessive.”
An exemption applies
You’ve asked the individual to prove their identity before responding to their request.
Can I Ever Refuse a Request?
The only instance when you would be able to refuse a DSAR request is if the request is deemed “manifestly unfounded or excessive,” such as if a request is highly repetitive.
However, it’s worth noting that despite Article 57 of the GDPR requiring you to demonstrate the “manifestly unfounded or excessive” nature of the request, there are no clearly defined parameters for this threshold, making demonstrating it particularly challenging.
With more individuals becoming aware of their rights concerning the data you hold about them, your business can fully expect to see an increase in the number of requests made over the coming months.
Not that this has to have a significant impact on your day-to-day operation.
Experts in helping businesses of all sizes ensure compliance with all aspects of the GDPR, we provide specialist subject access request services designed to simplify and streamline your response services, leaving you with more time, energy and resources to focus on growing your business.