The rules for making a subject access request (SAR) under the GDPR will be similar to the Data Protection Act 1998. However, there are key differences. With less than six months until the GDPR comes into force, it’s time to make sure you can meet new requirements to be legally compliant.
A SAR is the right of an individual to request any personal data you hold about them. The reason that the GDPR and the Data Protection Act 1998 (DPA) provide this right is so individuals can verify that their personal data is being processed lawfully. SARs must be made in writing. Individuals can ask:
At the moment you can charge an administration fee for SARs. Under the GDPR you cannot charge unless the subject access request is ‘manifestly unfounded or excessive’. However, you will have to be able to prove that the request is ‘manifestly unfounded or excessive’. As the guidance isn’t specific, that’s difficult. The GDPR states that you can charge a ‘reasonable fee’ for multiple requests – again the guidance isn’t specific, so approach with caution.
The GDPR allows you just one month to respond to subject access requests instead of forty days under the DPA. This deadline can be extended by a further two months for a complicated or large request. The data subject must be notified of any deadline extension within one month of receipt of the SAR and they must be given an explanation of the decision. You will need to make sure that your organisation has procedures in place to cope with this reduced timescale.
If an individual makes a SAR electronically then you must provide information in a commonly-used electronic format unless they request otherwise. Before sending out electronic information you must verify the individual’s identity. As you only have one month to respond to SARs you need to make sure that if requests are emailed to a particular staff member, then these are actioned when that staff member is absent.
When you respond to SARs you should tell the individual what personal information is held about them, the purpose for which it is held and what processing is being carried out. You might also need to provide additional information such as your data retention period.
The GDPR and current DPA hold the same position here. Under the DPA organisations can withhold information if it regards the prevention, detection or investigation of a crime; national security or the armed forces; the assessment or collection of tax; and judicial or ministerial appointments. The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’. In future our government may introduce further exemptions to SARs relating to public security, so we will have to watch this space.
Final point: The key change most likely to affect your organisation is reduced response time. As the GDPR only allows you one month to respond to subject access requests you might consider implementing a ‘data subject access portal’. This will enable individuals to access their personal data promptly, remotely and easily ensuring that subject access requests are GDPR compliant.
Working in partnership with IT and cyber security specialists at Soitron UK, our information security lead auditors can: