With GDPR giving individuals more control than ever over the data you hold on them, your business faces a greater responsibility to make that data accessible, and tougher penalties for failing to do so, data subject access requests being one of them.
For many businesses, the arrival of GDPR created a false sense of security. With updated consent policies, upgraded cybersecurity and a sufficiently trained workforce in place, it was easy to succumb to the idea that this meant job done, boxes ticked, and back to business as usual.
The truth, however, is that achieving baseline compliance by deadline day was only the beginning. For any organisation, the long-term commitment to meeting regulatory requirements means being fully prepared to respond -swiftly and effectively- to a number of data-related events.
This includes not only data breaches, but also the right to be forgotten requests and data subject access requests, or DSARs if you prefer.
But that was then and this is now.
Under GDPR, the rules surrounding data subject access requests have changed, making it easier for individuals to gain access to the data you store about them and imposing stricter punishments if you fail to do so.
So what’s changed, and what exactly does your business need to do differently in order to guarantee frictionless compliance with GDPR rules for access requests?
At Relentless Privacy and Compliance, we’ve been working with a number of leading businesses across the UK, empowering them with the tools, strategies, and outsourced services they need to manage such requests without it impacting their business as usual processes.
Here, we answer your key questions about DSARs and what you need to do to remain GDPR compliant.
Data Subject Access Requests: What’s Changed?
If your business used to respond to data access requests under the old legislation, then you’ll know that you previously had 40 days to respond to such a request and that you could charge a reasonable administration fee for doing so.
It’s here where you’re going to notice the two biggest changes.
According to the Information Commissioner’s Office (ICO) which oversees GDPR compliance here in the UK, you now have to respond to requests as soon as possible, without undue delay and within one month.
You can also no longer charge for providing access to data except in very exceptional circumstances, which we’ll discuss later.
Recital 59 of the GDPR also states:
“The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means.”
In other words, if you have previously only taken access requirements via formal letter, you’ll now need to implement some form of the electronic system, whether that’s a form on your website, a specific email address, or any other suitable method.
It’s worth noting, however, that individuals don’t necessarily have to use that system in order to make a request. This brings us to our next point.
What Constitutes a DSAR?
Under GDPR, an individual can make a subject access request using any available method, including:
- Verbally in person
- Over the phone
- In a written letter
- Via your website
- Via email
- Via social media.
There is no formal way to make a request, so the individual doesn’t necessarily have to use the terms “subject access request,” “DSAR,” “Article 15,” or anything else, as long as it is clear that they are requesting their own personal data.
Furthermore, such requests can be made to anyone within your organisation. That means that if someone verbally asks one of your frontline staff in person, this request is just as valid as a formal letter, email, or completed form.
With that in mind, now might be an opportune time to look again at any recent GDPR training you’ve provided to your workforce and ensure that anyone dealing regularly with members of the public are trained to not only identify a DSAR, but also to ensure that request is dealt with by whatever internal response process you have in place.
What Information Can An Individual Request?
Article 15 of GDPR covers “right of access by the data subject.”
It states:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipients to whom the data has been (or will be) disclosed, in particular recipients in third countries or international organisations.
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- Where the personal data are not collected from the data subject, any available information as to their source
- The existence of automated decision-making, including profiling, is referred to in Articles 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as The significance and the envisaged consequences of such processing for the data subject.”
If personal data has been transferred to a third party or international organisation, then the subject will also have the right to be informed of the appropriate safeguards put in place to protect that data.
In the most basic sense, what all of this means is that if you do hold data about an individual who makes a DSAR request, you are obligated to provide them not only with a copy of the data but with all supplementary information relating to how and why that data is used.
What Do I Need to Know About Providing a Response to a DSAR Request?
According to the ICO, the information you provide to an individual must be in a “transparent, intelligible and easily accessible form, using clear and plain language.”
For example, if your business uses particular codes for different data categories, you must provide a clear, legible explanation of what these codes mean.
If the request is made electronically, then Article 15 also states that “unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
Meanwhile, Recital 63 recommends a best practice solution of creating remote access to a secure system where individuals can directly access the data you hold about them. However, keep in mind that you shouldn’t do this if doing so could jeopardise the freedom of others, including trade secrets and intellectual property.
Remember that you have no more than one month to respond, starting from the day after the request is received regardless of whether that is a working day or not. In other words, if you receive a request on July 1st, the clock starts ticking on July 2nd, and you have until August 2nd to comply with that request.
Can I Extend the Amount of Time for Providing the Requested Information?
In most cases no, though as with everything in life, there are exceptional circumstances.
It is possible to extend the time to reply if the actual request is unduly complex or if the individual has made a number of requests.
That being said, the ICO states that it is unlikely to view an extension as reasonable under the following circumstances:
- The request is “manifestly unfounded or excessive”
- An exemption applies
- You’ve asked the individual to prove their identity before responding to their request.
Can I Ever Refuse a Request?
The only instance when you would be able to refuse a DSAR request is if the request is deemed to be “manifestly unfounded or excessive,” such as if a request is highly repetitive.
However, it’s worth noting that despite Article 57 of the GDPR requiring you to demonstrate the “manifestly unfounded or excessive” nature of the request, there are no clearly defined parameters for this threshold, making demonstrating it particularly challenging.
Of course, for every challenge, there’s always a solution, and at Relentless Privacy and Compliance, we’ve got just the solution for negating the complex world of DSAR responses.
The Easy, Affordable Way to Manage Your DSAR Response Process
With more individuals becoming aware of their rights concerning the data you hold about them; your business can fully expect to see an increase in the number of requests made over the coming months.
Not that this has to have a significant impact on your day-to-day operation.
Experts in helping businesses of all sizes ensure frictionless compliance with all aspects of the GDPR, we provide specialist subject access request services designed to simplify and streamline your response services, leaving you with more time, energy and resources to focus on growing your business.
Discover the easy, affordable way to manage DSAR responses by contacting us online today,