Depending on who you ask, the GDPR (General Data Protection Regulation) has either overhauled the way organisations handle personal data or it’s a complex and ultimately pointless piece of bureaucracy.
Fortunately, the number of people in the latter camp has shrunk in the past year or so, as the GDPR has proven to have a tangible effect on business. And we’re not just talking about fines, both big and small, handed out for regulatory violations. We’re talking about grassroots way in which people think about their personal information.
For example, since the Regulation took effect last year, there has been a huge increase in the number of individuals submitting DSARs (data subject access requests). Clearly, people are interested in the way their personal data is being used and want to make sure organisations are using it responsibly.
Let’s take a look at the biggest factors for this change in attitude.
1. Individuals are more aware of their rights
Individuals have always been able to view information that organisations keep on them. Before the GDPR, they could do this with an SAR (subject access request), but the GDPR tweaked the name and the way they work, and made people more aware of their rights.
This is one of the major benefits of the Regulation’s much-publicised disciplinary powers. It raised the stakes for effective cyber security and data privacy, leading to widespread discussions of the GDPR’s requirements and the rights it enshrined.
This links to the second reason that DSARs are occurring more regularly.
2. Individuals are more concerned about data privacy
The introduction of the GDPR reflects growing public worries over the way organisations use their data.
The likes of Facebook have been repeatedly entangled in data privacy issues, and many individuals have submitted DSARs to see what data of theirs is at risk and whether they should follow the right to access with the right to be forgotten.
By invoking the right to be forgotten, organisations must permanently erase any data they store on the individual unless the data is necessary for specific business or legal reasons.
Individuals also have the right to restrict processing, which forces organisations to limit the way they use personal data.
It’s an alternative to requesting the erasure of personal data, and might be used when an individual contests the accuracy of their personal data or when they no longer need the information but the organisation requires it to establish, exercise or defend a legal claim.
3. Individuals are more curious
Individuals might not have a legitimate concern over the way an organisation processes their data but submit a DSAR because the results interest them.
Their intrigue might stem from wanting to see what information the organisation has and what it’s being used for. Alternatively, they might submit a DSAR to get involved with the GDPR and see how their rights work in practice.
Meanwhile, some access requests have come from individuals who want to test organisations’ compliance status. In the run-up to the GPDR taking effect, the Financial Times reported that Facebook and Amazon failed to respond to DSARs adequately.
If those organisations are still non-compliant, the person submitting the request can file a complaint, leading to an investigation from the relevant supervisory authority.
4. Organisations can no longer charge fees for DSARs
The GDPR has scrapped the right organisations have to charge a fee to fulfil a DSAR. Some people were happy to pay this sum in order to review the way their data was being processed, but it was enough to dissuade many.
With that obstacle now removed, anyone can exercise their rights with minimal fuss.
The only times organisations can request to be recompensed are if DSARs are “manifestly unfounded, excessive or repetitive”. However, given that there isn’t any guidance on what fits these criteria, organisations will be cautious about using them.
Want help with DSARs?
Responding to a DSAR can be fraught with complications, and there’s a good chance that once the data subject has had a chance to review your processing practices that they’ll request that you remove their information.
This is where the stakes are raised even higher. If you’re relying on consent to process personal data, you must now give individuals the option to withdraw consent, which would force you to delete their records.
You should therefore take the time to understand what you can and can’t do when responding to DSARs. Our GDPR Consent and Withdrawal templates are an excellent starting point, as they contain all the information you need to create procedures that meet your needs.