Welcome to the fifth instalment in our mini-series of blog posts on the General Data Protection Regulation ("GDPR").
GDPR provides individuals with greater rights over their personal information. This post highlights three principal rights of which data controllers should be aware.
1. Subject Access
Under GDPR, individuals are entitled to request the following information from a data controller:
- confirmation that their personal data is being processed;
- access to their personal data; and
- supplementary information including, for example, the purposes of processing, the categories of personal data, recipients of the personal data, retention periods and the right to request rectification or erasure and to complain to the ICO.
Free of Charge
Under the Data Protection Act 1998, data controllers are entitled to charge a fee of £10 to respond to subject access requests. The right to charge a fee is removed under GDPR – the data controller must provide the requested information free of charge.
If a subject access request is unfounded, excessive, repeated or vexatious organisations may be entitled to charge a reasonable fee or refuse to respond. What is considered “reasonable” will depend on the administrative cost of providing the information. The ability to request payment or refuse to respond is likely to be relatively limited in practice.
Data controllers must respond to an access request within 1 month of receipt. Extension of the response time is permitted for up to two additional months where requests are numerous or complex, but data controllers must inform the data subject within 1 month if an extension is required along with an explanation for the delay.
If a data controller decides that, due to the nature of the request, it is not required to respond to the request, it must inform the data subject without delay and no later than 1 month after receiving the request, setting out the reasons why it has chosen not to respond in full.
Data controllers must ensure that personal data they process is accurate, kept up to date and deleted or corrected without delay if it is inaccurate. GDPR gives data subjects the right to request correction of any inaccurate or incomplete personal data held by the data controller. Data controllers must comply with the request without undue delay.
Under GDPR, data subjects are entitled to:
- receive a copy of their personal data in a commonly used and machine-readable format;
- store such personal data on a private device for personal use; and
- require the data controller to transmit the personal data to another data controller.
Responding to a data portability request does not require the data to be deleted from the data controller’s systems nor does it affect the original retention period.
Any failure by a data controller in respect of a data subject’s rights as set out above could incur administrative fines up to €20,000,000 or 4% of group worldwide turnover, whichever is higher.
Organisations should consider:
- implementing training and developing policies for employees to help staff recognise when a data subject is exercising a GDPR right;
- developing policies for the Data Protection Officer (or equivalent person within the business) to follow when responding to a data subject, including drafting template response letters to ensure responses are GDPR compliant;
- developing a subject access request section on the organisation’s website providing contact details and a template letter which a data subject can use for any requests (please note that although a template can be provided to facilitate a data subject’s request, a subject access request can be made in any format and a data subject does not have to use any template provided); and
- reviewing the data which is held and the ease of access to such data so that a data subject’s requests can be quickly and efficiently dealt with.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.