The introduction of the General Data Protection Regulation (GDPR) has given EU residents a range of new powers when it comes to the way organisations process their personal data.
By submitting a DSAR (data subject access request) to an organisation, individuals are entitled to receive:
- Confirmation that their personal information is being processed;
- Access to that information;
- The organisation’s lawful basis for processing;
- The names or categories of any third parties that the information has been shared with;
- The estimated period for which the personal data will be stored (or, if this hasn’t yet been decided, the criteria used to determine that period);
- Any relevant information about how the personal data was obtained; and
- Information about automated decision-making, including profiling, and the reasoning for and potential consequences of the automation.
In responding to the DSAR, organisations must also remind the data subject that they have the right to object to the processing, request the rectification of the data or lodge a complaint with a supervisory authority.
These rights are broadly consistent with national data protection laws that stemmed from the EU’s Data Protection Directive, albeit more rigorous.
The more significant changes are the GDPR’s tough new rules on the way that information must be provided, which we’ve outlined here.
1. You cannot charge a fee for providing information
In most circumstances, organisations will need to give the subjects a copy of the information they request free of charge. However, organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.
This fee must be based on the administrative cost of complying with the request.
Organisations can also refuse to grant excessive, unfounded or repetitive requests. If they do this, they must explain to the individual why they are refusing to comply and inform them of their right to appeal to the organisation’s supervisory authority.
2. You have one month to respond
The next major change is the GDPR’s stricter response time for DSARs, requiring organisations to provide the requested information within a month.
Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.
It’s a good idea for organisations to assign a team of employees to oversee the response process. This ensures that requests don’t fall between the gaps and get left forgotten.
Smaller organisations may be tempted to hand the GDPR request responsibilities to a single point of contact – typically whoever is handling the duties of the DPO (data protection officer) – but you should avoid doing this wherever possible.
Should that employer take an extended holiday or have an unexpected absence, requests could pile up with no one keeping track of them.
3. You must allow electronic requests
There are no specific rules for how such a DSAR must be made; individuals can say, for instance, “I’d like to see what personal data you have on me” or make the request by email.
Where a request is made electronically, the information must be provided in a commonly used file format.
Similarly, Recital 63 of the Regulation states that data controllers should, where possible, provide “remote access to a secure system which would provide the data subject with direct access to her or her personal data”.
Are there any limits on what organisations can provide?
Organisations don’t automatically have to comply with every DSAR they receive.
For example, the person tasked with completing the access request might determine that it’s manifestly unfounded, excessive or repetitive, in which case they can either charge “a reasonable fee” or reject it.
These exceptions should be used with caution, however. The GDPR doesn’t give specific definitions or examples of what counts as manifestly unfounded, excessive or repetitive, and organisations that use them must be capable of demonstrating their justification.
What’s more, they can’t have a blanket policy for determining the acceptability of requests; they must instead consider each request on a case-by-case basis.
In general, an unfounded request is one that the individual sends to disrupt the organisation, or which contains unsubstantiated accusations against the organisation.
Things aren’t much clearer when it comes to the what’s considered repetitive, but you can generally intuit this based on how often you collect personal data. If you’re continuously collecting data, the window for what’s considered repetitive might be as short as a few weeks.
By contrast, if you’ve collected only a handful of pieces of personal data – like a name and email address – and have stated no other reason to process data subjects’ information, then multiple DSARs within a year might count as repetitive.
Become a DSAR expert
Organisations that appoint a DPO will generally hand the majority of their DSAR tasks to them. That makes sense, because whether they’re completing the DPO’s duties on a full-time basis or alongside their existing job, they’ll probably be the employee most knowledgeable about the GDPR.
If you haven’t appointed a DPO yet, now is the time. The position as an independent data advisor and data protection expert makes them an invaluable asset to your organisation.
You can find out what it takes to fill the position with our Certified Data Protection Officer (C-DPO) Training Course, which covers everything from DSARs and DPIAs (data protection impact assessments to staff training programmes and how to liaise with supervisory authorities.
A version of this blog was originally published on 31 July 2017.