Subject Access Requests – Do you need a process?
A data subject has the right to obtain information as to whether personal data is being processed about him or her, access to that data and information about the purposes of processing, the categories of personal data being processed and to whom the personal data is being transferred.
Under the GDPR the information must be provided:
> free of charge (a change from the previous regime which permitted a £10 fee).
> without undue delay and, in any event, within one month of receipt of the request (a reduction in the previous 40 day period).
Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The obligation of transparency means that the employer must be able to explain how it has handled the request (for example, the steps taken to locate data).
Responding to a subject access request can be time-consuming and expensive and the process should be carefully documented in each case. Organisations that fail to comply with the GDPR's requirements after 25 May 2018 may be subject to significant fines as well as liability to affected data subjects.
It is therefore advisable for organisations to have processes in place to deal with subject access requests efficiently and expeditiously. Many businesses will already have procedures for handling subject access requests under the previous data protection regime, but these may need to be adapted in view of the new timeframes. Businesses should consider:
> Ascertaining the systems where personal data is held.
> Assessing their ability quickly to locate data relating to a specific individual and provide data in compliance with the GDPR’s format obligations.
> Updating IT systems if necessary.
> Updating procedures and planning how to handle subject access requests and provide any additional information within the new timescales.
> Developing and implementing template response letters to ensure that all elements of a response to a subject access request under the GDPR are complied with.
> Ensure that employees are trained to quickly recognise and response appropriately to subject access requests.
> Consider GDPR best practice and perhaps consider incorporating a ‘data subject access portal’ (where appropriate) which can allow an individual to access their information quickly easily and remotely.