It’s arrived UK GDPR is now enforceable and while we may all be tempted to sit back and relax feeling confident we’ve ticked all the boxes there is still plenty to be vigilant on – we need to ensure we’re up to speed on managing our ongoing obligations under GDPR.
One of the most commonly used eight rights of the data subject is the right to access. Where a data subject (client/customer) can ask to see all information held about them by you – known as a Subject Access Request (SAR). Now while this might be seen as a hindrance to a business, it’s an opportunity to enhance reputations and improve customer service.
Of all the complaints the ICO (Information Commissioners Office) received between September 2016 and August 2017 27% of cases related to data access requests or obtaining data. (ICO Stats for Complaints and Concerns). Many complaints are around delays:
- taking too long to receive the data
- over the deadline
- poor searches – the individual believes the information is incomplete and repeated requests
- an individual has to make repeated requests for the information.
What Is A Subject Access Request (SAR)?
Under UK GDPR a subject has a right to ask you as a business to provide access to certain information held about them, and you must provide this information within one month of receipt, a working approach would be to use 28 days to always ensure compliance within a month. You cannot charge a fee for this service except in certain limited circumstances – see section later on in the post – Can I refuse to comply with a request?
The data subject can ask for the following:
- the personal data you hold
- the reasons you are storing/processing their data
- the categories of personal data concerned
- information about any profiling or automated decision-making activity on the data and the consequence of this – (more applicable in the financial world)
- who the data will be shared with, including if the data is going to a third country and safeguards that are put in place to protect the data
- how long the data will be stored for and why it will be stored for that period
- information about their rights – e.g., erasure, rectification
- information about their right to lodge a complaint
How Do I Deal With A Subject Access (SAR)?
It’s important to have a process in place for how you deal with requests. It needn’t be too onerous, and for the self-employed or small business, a simple one-pager. The following steps would suffice as process tailored to for your business:
2. Acknowledge a SAR has been made – contact the individual and confirm receipt of the SAR – even if verbally provided by the individual.
3. Verify The Individual’s Identity – because a request can present itself in many different ways – verbally, over the phone, via social media it’s important to verify the identity of the individual if you are at all unsure. Let the individual know as soon as possible that you need more information in order to verify their identity. Your 28 days time limit does not start until you have received the additional information to verify the individual’s identity.
4. Request Scope Of Information Required – it’s not unreasonable for you to ask the individual for further information to support the request. Very often an individual will have a reason for making the request and understanding this can help in managing the request efficiently. However, the individual does not have to provide this information and could re-assert the original request which you would need to comply with.
5. Conduct Searches – now it’s time to find the data – this could mean searches of both paper-based and electronic records. Before GDPR came into operation if you completed an information audit of all your pockets of data held in the business then conducting a search will be much easier.
6. Data changes during collection – businesses are not permitted to update or change data because they feel it may be embarrassing or inaccurate.
7. Compile and Review – do you have all the relevant information? Does the information contain any details on other data subjects? Confirm you have all the information required and have identified any other identifiable data subjects within the information. If the information does identify other individuals, then this detail can be redacted or removed. Ensure the information is ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ – ICO guidance.
8. Supporting Information – explain why the data is stored/processed and confirm the data subjects rights. The individual may want data corrected or erased.
9. Securely send the information – GDPR requires that information provided under a right of access request should be sent securely and electronically if required by the individual. If using post ensure registered post is used. If sending electronically then use an encrypted email service if not possible then sending the data in a password protected file is second best – ensuring the password is sent by other means and not email, possibly SMS text.
Can I refuse to comply with a request?
You can refuse to comply with a subject access request if it is manifestly unfounded, excessive or repetitive.
If you consider that a request is manifestly unfounded or excessive you can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
If you are refusing to deal with the request you need to let the individual know and why; also that they can make a complaint to the ICO (or equivalent supervisory authority).
If you are charging a fee, it should cover the administration overhead only. Inform the individual you will be charging a fee, and you need not process the request until the fee has been paid.
Do make sure you are following a process for dealing with requests for access to information from a customer or client. Deal with requests as efficiently as you and be aware of your obligations.
If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance – GDPR Compliance Pack and for those working in the private healthcare sector a GDPR Therapy Agreement.
If you are unsure about GDPR and what it might mean for your business, feel free to contact me. Contact Me
Shop For Products
Subscribe For Latest Updates
Free E-Book 5 Things To Fix On Your Website In The Next Week To Increase Leads
Stop wasting time on the Internet!
Like most business owners, you are probably distracted and overwhelmed by the possibilities of doing business online.
It is also true that most of us fail dismally in our online ventures. So here are five things you can do in the next week to get the needle moving in the right direction.