Click one of the options below to speak to us about our Data Protection Services
Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs), the four words that were striking fear into the hearts of even the most prepared and seemingly compliant of organisations ever since the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) was enacted in 2016 and then came into force in the UK in May 2018, through the Data Protection Act (DPA) 2018.
The GDPR represents the most significant shift in privacy laws for a generation. Individual data subjects, whether they be a member of the public or an employee, now have considerably extended rights under the new DPA and the GDPR.
For most, the deluge of DSARs flooding into inboxes after May 25th didn’t quite happen, but many organisations are reporting a significant increase in DSARs and this is only likely to increase as public awareness grows. Let’s examine six key things that organisations need to consider when implementing or reviewing their DSAR processA series of actions or steps taken in order to achieve a particular end.:
1. Response Times: The Organisation must comply with the request ‘without delay’. In practice, this means one month from receiving the DSAR, or one month from verifying proof of identity. There are exceptions to this, which will be discussed below.
2. DSARs can take any written form: As an organisation you cannot insist on a submission method, or demand that the data subject fills out a prescribed form. So long as the request is in writing then this will be deemed sufficient. With this in mind, it must be possible for the data subject to make requests electronically (e.g. by email or online). Where a request is made electronically, it is reasonable to provide the information in a commonly used electronic form (e.g. email/pdf), unless otherwise requested by the individual.
3. DSARs are free: An organisation is no longer able to charge for responding to a request unless the request is ‘manifestly unfounded or excessive’. Under the previous DPA 1998, an organisation could charge a nominal administration fee of £10 per request. An organisation may now only charge a reasonable administrative fee if further copies are requested.
4. Content of response: the request should allow the individual to know what information is held about them and what processing is being carried out. In responding to a request, data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. may need to provide further information such as the relevant data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. period and the right to have inaccurate data corrected, all of which should be clearly stated in the organisation’s Privacy Policy.
5. Time Limits: The data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data. must respond to these requests within a month. However, in exceptional circumstances up to two additional months can be sought, but only if the data subject is made aware of that request within the first month, along with a full explanation of the reasons for the additional time.
6. Refusing DSARs: As a business or institution this one might pique your interest:
Don’t get over excited though, a note of caution. The ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. is very clear on discouraging organisations from introducing barriers or obstructions to complying with DSARs.
So, in reality what does all of this mean for your organisation? The most important thing is ensuring that you have a robust and efficient DSAR process in place, such that your organisation is not merely reactionary but precautionary.
The DPO Centre provides a DSARs response service to deal with these types of requests on a daily basis. Our Data Protection Offers can therefore work with you to help understand your data and where it is located, design your process, policies & procedures and prepare you for all eventualities.
For further information on DSARs or any other compliance matter, please contact us using the form below.
Click one of the options below to speak to us about our Data Protection Services