The new European General Data Protection Regulation (GDPR) clarifies an EU resident’s right to obtain a copy of all their Personally Identifiable Information (PII). This is known as a Subject Access Request (SAR)
The UK Data Protection Act 1998 provides a data subject (an individual whose data is being processed) with a right to access the data that an organisation holds about them. While GDPR offers the same rights, there are some differences. For example, under the current UK DPA legislation all Subject Access requests must be responded to in 40 days. However, under GDPR, which comes into law on May 25th 2018 this is reduced to 30 days.
Key recent changes to the ICO’s code of practice:
Disproportionate Effort Exemption
Data controllers, have a high expectation placed on them to respond to a Subject Access Request. The ICO code states that controllers “should be prepared to make extensive efforts to find and retrieve the requested information.” However, it is possible to use the “disproportionate effort exemption” to deny data subjects access to their personal data if you can prove that the work or expense involved in providing a copy of the information is disproportionate to the individual’s rights of access. The ICO has clarified that the assessment can consider the efforts in searching for and finding the information as well as supplying it. The data controller must show that they have taken all reasonable steps to comply with the request, and that it would be disproportionate to take further steps.
It should be emphasised that GDPR demands firms have well-organised information management systems so it will become increasingly more difficult to claim the Disproportionate Effort Exemption.
SARs are often simply a rouse to obtain information to support a grievance or other potential litigation. The ICO’s guidance states that regardless of whether a requester has “collateral purposes” for making the Subject Access Request, under GDPR, the request is still valid.
How to ensure you can comply with a SAR
To ensure your firm can comply with Subject Access Requests you should:
- Ensure you have a process for engaging quickly and efficiently with the requestor. Your readiness to assist will be a primary consideration if a complaint ensues.
- Remember that from May 25th, 2018 the time limit for responding to a SAR will decrease from 40 days to 30 days
- Take steps to ensure your data management systems are fit for purpose
- Review your “bring your own device” policy and ensure that it restricts the circumstances in which staff can hold PII on their own device. Remember that if you are compelled to search your employees personal devices for information to comply with Subject Access Requests you may also be impacting their right to privacy. We suggest you look at applications like Mobile Endpoint Security from Lookout.
- Always consider the cost and impact of searching, finding and providing the information requested with the benefits that the information might bring to the data subject in case there is the potential to use the disproportionate effort exemption.
If GDPR is worrying you or if you simply are not sure how GDPR might affect your business, we are here to help. We are happy to set up a short, no obligation call to help you understand the implications of GDPR on you and your business.