Blog Post

General Data Protection Regulation 2018 (6)

  • By MICHAEL HANSON
  • 06 Aug, 2018

Action Required: Ensure that you can adequately respond to a subject access request within the revised timescales that will apply from 25 May 2018.

 

As you know, the General Data Protection Regulations (GDPR) come into effect in May 2018.

 

It is already the case that individuals can obtain copies of the information that you hold about them. The GDPR strengths this right somewhat.

 

As a reminder, the legislation covers any information from which a private individual can be identified (so this could be straightforward name and address information, personal information about otherwise commercial contacts, employees and job candidates).

 

Before going into the details of the requirements, it is worth asking that you remind your staff and colleagues that nothing should be put in writing about an individual unless you are happy for that individual to see what you have written.

 

We would have hoped, by now, that everybody would be aware of the risk of placing derogatory comments in email, client and staff files and in social media posts. Unfortunately, we continue to see evidence that this lesson is not being learned.

 

So, the right of access:

 

  • Gives individuals the right to access their personal data and supplementary information.

 

  • Allows individuals to be aware of and verify the lawfulness of the processing.

 

Under GDPR, the individual will have the right to obtain:

 

  • Confirmation that their data is being processed;

 

  • Access to their personal data; and

 

  • Other supplementary information (broadly the information that should be contained in a privacy notice).

 

 

Charging fees for access

 

  • You must provide a copy of the information free of charge.

 

  • However, if the request is manifestly unfounded or excessive (particularly if it is repetitive), you can charge a reasonable fee based on a realistic administration cost to provide the information.

 

  • You may also be able to charge a reasonable fee to comply with a request for further copies of the same information.

 

 

Timescales

 

  • Information must be provided without delay and, at the latest, within one month of receipt.

 

  • You can extend this period by up to a further two months where the requests received are complex or numerous. In this case, you must inform the individual within one month of receipt of the request and explain why the extension is necessary.

 

 

Unfounded or excessive requests

 

Where requests are manifestly unfounded or excessive, particularly because they are repetitive, you can:

 

  • Charge a reasonable fee, as mentioned above.

 

  • Refuse to respond.

 

If you refuse to respond to requests, you have to explain why to the individual and tell them about their right to complain to the Information Commissioner’s Office.

 

 

Providing the information

 

  • Firstly, you need to verify the identity of the person making the request using “reasonable means”.

 

  • If the request is made electronically, you should respond in kind by providing information in electronic format (PDF).

 

 

Requests for large amounts of personal data

 

Where you process a large quantity of information about an individual, the GDPR allows you to ask the individual to specify the information that they want.

 

 

Information to be provided

 

For most firms, client, employee and prospect information will be held on some form of system. You need to be able to export the personal data into a format that can be delivered to the individual concerned, within the period allowed.

 

Additionally, any information held in paper files should also be provided (most firms seem to hold job candidate details in paper files).

 

There is no limitation on the type or format of information that should be provided to the individual. Therefore, you will need to consider whether you hold any of the following:

 

  • CCTV footage

 

  • Email trails within your mail system

 

  • Telephone call recordings

 

  • Any photos

 

  • IP addresses

 

  • Telematic data

 

 

Action Required

 

The right for individuals to obtain the information you hold about them has existed for very many years now (and there have been very few subject access requests received by the firms that we deal with).

 

However, GDPR will raise the profile of this issue, particularly in the period leading up to the end of May and immediately afterwards.

 

You therefore need to be able to identify all of the locations in which you may be holding data relating to individuals (clients, employees, prospects and job candidates – any others?) and to ensure that you have a coherent mechanism to extract all of the information and deliver it to the individual on request.

 

You also need to consider whether you can make life easier for yourself by destroying any data you no longer need.

As always, we are more than happy to provide any help or advice on this issue.

 

 

Share by: