The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will introduce the greatest changes to data protection legislation in over 30 years. In this blog, we look at subject access requests (SARs) under the GDPR and what changes this will bring in. There is less than a year to go now before the GDPR comes into force, therefore you should act now to make sure you are GDPR compliant!

What is a SAR?

A SAR is a request for personal information that your organisation may hold about an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data is being processed. If personal information is being processed, they are entitled to access the following information:

  • the reasons why their data is being processed;
  • the description of the personal data concerning them;
  • anyone who has received or will receive their personal data; and
  • details of the origin of their data if it was not collected from them.

Key changes to SARs under the GDPR

Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However, there are some key changes you should be aware of which may require you to make changes to procedures:

Fees

Under the DPA, your organisation can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is 'manifestly unfounded or excessive'. Your organisation can charge a 'reasonable fee' for multiple requests.

Impact

This may have a significant effect on your organisation where you receive large volumes of requests and this may result in an increase in administrative costs on your organisation. At present there is insufficient guidance on what is meant by "manifestly unfounded or excessive" and therefore your organisation should approach this with some caution.

Response time

Under the DPA, you must respond to SARs within 40 days of receipt of the written request. Under the GDPR, your organisation must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex but you must contact the individual within a month of receipt, explaining why the extension is necessary.

Impact

Organisations will have a shorter time to deal with SARs; therefore having an effective procedure in place will ensure that you are able to comply with the new reduced timescales.

Provision of information

Individuals can make a SAR electronically. If they do so, the information provided should be in a commonly-used electronic format, unless otherwise requested. Your organisation must verify the individual's identity prior to granting access to information.

Impact

Your organisation should already have a procedure for staff to identify a SAR and know how to escalate this to be dealt with. If staff have personal e-mail accounts where a SAR could be made to, these should be monitored when the member of staff is out of the office to ensure that SARs are dealt with quickly. Remember – you will only have up to one month to respond, so your organisation needs to have good procedures to make sure it complies on time.

Right to withhold personal data

Under the GDPR, organisations can withhold personal data if disclosing it would 'adversely affect the rights and freedoms of others.' It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security.

Next Steps

  • Design and implement template response letters so that you can ensure that all requirements of a response to a SAR are complied with under the GDPR.
  • Design and implement policies and procedures for handling SARs and ensure these take into account new timescales.
  • Ensure that employees are trained in dealing with SARs and that they can recognise when an individual has made a SAR and how this is to be dealt with.
  • Consider GDPR best practice and perhaps consider incorporating a 'data subject access portal' (where appropriate) which can allow an individual to access their information quickly easily and remotely.

© MacRoberts 2017

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.