When GDPR comes in to force on 25 May, the following will change in relation to data access requests:
- The fee for data access requests will no longer apply
- Businesses will need to respond to data access requests within one month instead of the existing forty-day timeline
- If the data access request has been made electronically, for example by email, then the response should also be in electronic form
- Businesses may charge a reasonable fee for administrative costs if the request is excessive
- Businesses will have some grounds to refuse a data access request if it is seen as being clearly unfounded or excessive. Your business will need to have a clear policy that details the grounds and procedures for refusing this type of data access request and they must demonstrate why the request meets these criteria
Before processing a data access request, it may be helpful to request some form of ID or other method to verify that the individual is who they say they are. You can also ask them to specify what data they wish to receive. However, the individual can refuse to specify and insist on receiving all their personal data. In this case, businesses would need to provide a copy of all personal data that is held on file in relation to that individual unless it is excessive or unfounded.
Under GDPR, data subjects are entitled to the following information when they make a data access request:
- The reason/s for processing their data
- The categories of personal data that relates to them
- Whether any third parties have been given access to the personal data, in particular third countries or international organisations. This also needs to include the appropriate safeguards that are put in place to protect the individuals data in relation to the transfer of their data
- How long the personal data will be held for or the criteria used to hold their data
- They can request to have their data updated, removed entirely or ask to restrict some aspects of the processing of their data
- How to lodge a complaint with a supervisory authority, in this case the Data Protection Commissioner
- If the data was not collected directly from the individual, for example if it was obtained from a publicly available source, you need to let them know where you obtained it from
- The existence and use of automatic profiling. The individual has the right to know what the significance of using this is and what are the consequences for this processing. They can also object to the use of automated profiling for their personal data
How can businesses prepare for a data access request?
The first step is to create a data access request policy. This should include reasons for refusing unfounded or excessive data access requests along with clear guidelines on how to manage these.
The second step is to ensure that all staff are trained in how to recognise a data access request and who to send it to as well as who to contact if that person is on leave.
The third step is to know where all your data is stored and if possible centralise as much of the personal data as possible. This makes it easier to respond to the data access request within the one-month timeline.
Finally, it is recommended that you test your data access request procedure to see if you can meet the timeline and fix any issues that may arise.
In the meantime you can avail of our new publication ‘Mind your business: prepare for GDPR’ and other GDPR resources here.
If you would like more information on GDPR or to discuss your requirements further please contact Helen at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our GDPR section on http://www.sfa.ie/advice