Continuing the series of articles concerning the GDPR this article will look at the issue of subject access requests.
Subject access requests – requests for their data by data owners – are nothing new, indeed they are a cornerstone of the Data Protection Act 1998. The GDPR takes the current legislation and effectively simplifies it from the data owner’s (data subject’s) viewpoint. Conversely the onus on data controllers and data processors has increased. Organisations dealing with data subject’s data should review their processes for dealing with access requests to ensure they are able to satisfy the requests within the strictures of the GDPR. Further, as detailed below the cost of dealing with subject access requests has to be borne by the organisation in the majority of cases. This is a cost of complying with the GDPR that could prove significant for organisations who receive large numbers of access requests.
The time limit to respond to a subject access request is reduced under the GDPR from the current 40 days to 30 days. Another significant change brought about by the GDPR is with regard to being able to charge an administration fee for responding to a subject access request. With one exception the requested information must be provided free of charge. Data controllers or data processors may however refuse or charge for requests that are ‘manifestly unfounded or excessive.’
Should a subject access request be refused, the data controller or data processor has a duty to tell the individual the reasons for refusal and also inform them of their right both to complain to the Information Commissioner’s Office (ICO), the supervisory authority for the UK, and to seek a judicial remedy. The individual must be notified without undue delay and within one month of the date of the request.
Organisations that receive a large number of access requests will face a logistical challenge in dealing with requests inside the revised time frame. The GDPR does however permit organisations to implement systems that allow data subjects to access their personal information online, which may assist here.