The introduction of the GDPR (General Data Protection Regulation) requires all organisations within its scope to give data subjects the right to review the personal data being held on them.
Individuals can make this request by submitting a DSAR (data subject access request), which organisations must respond to by providing:
- Confirmation that the individual’s data is being processed.
- Access to their personal data.
- The purpose for processing the data.
- The recipients (or categories of recipients) to whom the personal data has been or will be disclosed.
- The estimated period for which the personal data will be stored (or, if this hasn’t yet been decided, the criteria used to determine that period).
- A reminder that the data subject has a right to object to the processing, request the rectification of the data or lodge a complaint with a supervisory authority.
- Any relevant information about how the personal data was obtained.
- Information about automated decision-making, including profiling, and the reasoning for and potential consequences of the automation.
These requirements are broadly consistent with previous laws about personal data access requests, albeit more rigorous. However, the GDPR also includes tough rules on the way that information must be provided, which we explain in this blog.
1. You cannot charge a fee for providing information
In most circumstances, organisations will need to provide subjects with a copy of the information they request free of charge. However, organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.
This fee must be based on the administrative cost of providing the information.
Organisations can also refuse to grant excessive, unfounded or repetitive requests. If they do this, they must explain to the individual why they are refusing to comply, and inform them of their right to appeal to the organisation’s supervisory authority.
2. You have one month to respond
The Regulation states that organisations must provide the requested information without delay and within a month.
Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.
3. You must allow electronic requests
There are no specific rules for how such a DSAR must be made; individuals can simply say, for instance, “I’d like to see what personal data you have on me” or make the request by email.
Where a request is made electronically, the information must be provided in a commonly used file format.
Similarly, Recital 63 of the Regulation states that data controllers should, where possible, provide “remote access to a secure system which would provide the data subject with direct access to her or her personal data”.
Want to simplify GPDR compliance?
You can create a system for fulfilling DSARs quickly and easily with the help of our GDPR Documentation Toolkit. It contains more than 80 templates, including policies, procedures and checklists, that you can plug into your organisation to ensure GDPR compliance.
This toolkit has been designed and developed by expert GDPR practitioners, based on their experience helping organisations of all types and sizes achieve regulatory compliance.
A version of this blog was originally published on 31 July 2017.