Posted by Kate Benefer, Partner
Subject access requests
In the sixth blog in our series on the General Data Protection Regulation (GDPR), Kate Benefer, employment partner and Emma Banister Dean, partner in our Dispute Resolution team, look at subject access requests and how they can affect your business.
GDPR – What is a subject access request?
Under the GDPR, individuals have a number of rights in relation to their data. One of these is the right of access to their data and to information about how it is being processed. A subject access request is a written request an individual makes to an organisation for this.
The request needs to be in writing, but there is no specific wording required. For example, an email requesting “all personal data you have on me” will be sufficient.
Subject access requests are not new. Under the Data Protection Act, individuals have had the right to submit requests for some time. There are, however, two key changes under the GDPR:
- The right for organisations to charge a £10 fee will no longer apply.
- The time limit for dealing with the request is reduced from the current 40 days to one month.
Is it just an HR issue?
Subject access requests are often seen as being an HR issue, but they are just as applicable to any other person whose data is being processed (a data subject).
It is true that the majority of requests are brought by disgruntled employees or ex-employees as a tactic either for causing hassle for their employer or in the hope that it will provide them with early disclosure of documents which they can use in the pursuit of a claim. However, a customer, client or other third party contact has the same right to make a request.
I have never received a request, why should I worry about this now?
With data protection being such a topical issue in the media at the moment – particularly with recent high profile breaches such as the one involving Facebook – individuals are now more aware of their rights. They are also likely to be more interested in what is happening to their data and keen to ensure that it isn’t being used, disclosed or shared in a way they don’t like. Our view is that subject access requests will increase and will be used as a way of exposing organisations which have not prepared for GDPR.
What should I do to prepare for a request?
Dealing with a subject access request can be time-consuming and often frustrating, particularly if you know that the request is being used as a tactic to cause disruption or to increase a bargaining position. There is very little you can do to avoid the requests, but there are steps you can take to make it easier to deal with them and to ensure that the information you provide to individuals does not lead to complaints about data breaches.
Given that the requests are an easy way for a client, employee or third party to find out how compliant your organisation is with GDPR, it is essential that you are ready for the changes which come into force in less than a month on 25 May. You need to have a clear understanding of the data you hold, be able to justify why you have it and what you do with it, and need to be able to evidence your compliance through various policies and records.
The following key practical tips will help put your business in the best possible position for dealing with a subject access request:
- Review your data: carry out an audit of the data you hold and make sure you are able to show compliance with each of the GDPR principles, i.e. you have a lawful basis for processing, the data is collected and processed for legitimate purposes; it is accurate, has been minimised where possible, not kept longer than necessary, not used for purposes other than those for which is was obtained and is secure.
- Cleanse your data: data that you don’t need and can’t justify having should be deleted. Not only will this help you comply with the GDPR generally, it will make dealing with a subject access request easier as you will have less information to review.
- Ensure data is appropriate: staff should be reminded that anything recorded can potentially be seen by the individual in question and therefore people should think before recording things like negative opinions in emails.
- Staff awareness: ensure that all of your staff know how to recognise a subject access request and who to direct it to if they receive one. This will help avoid the risk of not being able to comply within the relatively tight timeframe.
- Staff training: those who will be dealing with the requests need to understand what they need to disclose, what exemptions apply and how the response should be dealt with. This is a complex area and training should be provided.
- Check that your third parties are compliant: if your use third parties to process data on your behalf, you should be carrying out due diligence on them to ensure they are GDPR compliant. As part of this you should check how they would deal with a subject access request.
As there is less than a month to go before the GDPR is in force, you should be prioritising GDPR preparation within your organisation.
If you have any queries or would like assistance with your preparation, please contact our specialist GDPR team on:
0800 923 2073 Email us
Corporate & Commercial
Our corporate lawyers will get you the right deal and protect your business, now and in the future.