The right of individuals to access their data is already an important part of existing EU data protection law. GDPR takes this further by ushering in enhanced rights to data subjects and new obligations on entities that hold personal data.
Read on to discover what has changed. See what steps your organization should take when it comes to subject access requests (SARs).
Data subject access requests: What has changed?
The Data Protection Directive and its replacement, the GDPR grants citizens rights regarding the personal data that is being processed by organisations.
Individuals now have the right to access the personal data that an organisation is processing about them. As well as the following information:
- The purpose of the processing of that data,
- The source of the data,
- Where and for how long the data is being processed,
- Who the data is being disclosed to,
- Whether (and the extent to which) that data is being used for automated decision making.
Individuals also have the right to be informed about the rights they have.
These include the right to correction or erasure of personal data that is being processed, the right to object to and and restrict the processing and the possibility to lodge a complaint with supervisory authorities. Individuals can also request a copy of their personal data.
Does it matter that the old EU data protection regime was based on a directive, while the new one relies on a regulation?
EU Member States had to ratify the Data Protection Directive by means of their own legislation. This meant that the details tended to vary from country to country, especially on the formalities of responding to requests.
GDPR arrives as a ready-made blueprint; one that comes into force across the EU automatically. This means that the subject access request regime will be essentially the same right across Europe.
Here’s a rundown of some of the biggest changes.
#1: Time to comply
The old rules required Member States to ensure that data access requests were handled “without excessive delay”. Countries could set their own reasonable time limits for responding.
GDPR is more specific. Art 12 (3) stipulates that the data controller must provide SAR information within one month of receipt of the request.
If it’s a complex request, or in the case of multiple requests, organisations can extend the deadline by a further two months. For this, they still need to notify the data subject and explain the reasons why the extension is necessary within a month of receiving the original request.
#2: No more standard admin fees
Under the old regime, national regulators tended to set maximum fees that data controllers could charge for responding to requests.
Under GDPR, information must be provided free of charge.
The only exception to this is where requests are “manifestly unfounded or excessive” (e.g. where there are multiple requests from the same person for the same information). In these cases, data controllers can either refuse to act on the request or else charge a reasonable fee for admin costs.
#3: Clearer rules on the format of responses
GDPR recognises that electronic requests, e.g. by email, are now pretty much the standard way of submitting subject access requests (SARs).
So where an SAR is submitted electronically, it must be responded to in a “commonly used electronic format” unless otherwise instructed by the data subject.
Firms are also encouraged to get proactive in order to make subject access requests as easy as possible. GDPR’s best practice recommendations promote the use of “self-service systems”. In other words, virtual hubs where customers can access their own data.
#4: Data portability and subject access rights
The new right on data portability sits alongside the general subject access right. It boosts the right of individuals to obtain, transfer and reuse their data and the right to data portability. It is a key upgrade of GDPR compared to the old directive.
But there are differences between the two. Here’s how data portability fits into the picture.
In contrast to the data subject access rights, it only covers personal data provided by the data subject and processed by automatic means.
So the right to portability doesn’t apply to paper-only records.
But there are further restrictions on what data it applies to. For one, the term “provided” implies that data portability is only available for personal data that is knowingly and actively provided by data subjects, and generated by their activity.
An example for the former would be the information an organisation’s customers provide when they open an account via an online form. While the latter could be a customer’s purchase history or account transaction history – or a list of the videos viewed via an online streaming service.
So what data does the right to data portability not apply to?
It doesn’t include data “derived or inferred from data provided by the data subject”. This refers to things like algorithms that determine behavioural profiles based on customers’ online browsing behaviour or smart phone location data or the health score calculated based on the measurements of a fitness watch.
A further distinction to the general subject access rights is that it only applies to personal data obtained on ground of consent or the necessity for the performance of a contract the data subject entered into.
So even though the general subject access right applies to all personal data held by a data controller, the right to portability is limited.
#5: The right to receive data
On data portability, data subjects have the right to personally receive their data “in a structured, commonly used and machine-readable format”. They also have the right to have that data transferred to another data controller “without hindrance” (this is designed to make it easier to switch service providers).
So how can companies comply with this? For many, it could involve a customer service platform redesign to enable secure direct downloading of customer data in a machine-readable format (e.g. XLS or CSV file formatting). To transmit personal data directly to other companies (on the request of customers), a secure application programming interface (API) may also be required.
What actions can I take?
- Map your data. What personal data resides within your business? What is its purpose and how is it being processed? Will processors outside of your organization have access to this data? Where does this data originate from if it was not provided directly by the data subject? Under GDPR, data subjects are entitled to all of this information. Without data mapping, it becomes practically impossible to provide comprehensive responses.
- Training. The new regulation states that subject access requests must be made “in writing”. Once received, you generally have a month to respond to the request. So the clock is ticking – and staff should be trained to spot an SAR once it arrives. You should also implement a standard procedure for handling SARs to ensure they are actioned within the time limit.
- Technical changes. Ideally, data subjects should be able to exercise their data access rights in a way that’s secure, convenient and without overburdening your organisation. Depending on the volume and sensitivity of that data, the ‘self-service’ route might make perfect sense: i.e. a subject access portal for customers.