Episode 5 – Subject Access Requests
On the 25th May 2018, the EU General Data Protection Regulations will come into force, effecting millions of businesses across Europe. The GDPR seeks to harmonise and strengthen data protection regulation across Europe and builds upon the existing data protection laws enacted in all EU countries.
The inherent basis of the act is the need for fairness and transparency in the processing of EU citizens data. Whilst the GDPR does introduce a raft of new requirements, some of which we have already covered in this series, other requirements are merely enhancements of existing legislation. The Subject Access Request being one such case.
Data subjects have a legal expectation that their personal data is accurate, up to date and being processed fairly and transparently. In order to assure themselves of this they have the right to request the correction of any errors with their personal data. In order to request those corrections, they have to be able to access their personal data. Hence the rights of rectification and the right of access.
The request to access a copy of the data held about them is know as a Subject Access Request (SAR). In the UK SAR’s were introduced in the 1980’s and updated in the Data Protection Act 1998 and the GDPR makes one or two changes to the existing rules, which companies do need to be aware of. It is also worth companies spending some time considering the implications of 21st century technology with respect to SAR’s.
Modern business makes extensive use of sophisticated Enterprise Information systems, such as SAP, to run their daily operations. These systems ensure that businesses utilise the very best methodologies for standard business practices and capture vast amounts of information. A large proportion of which is customer centric. The UK Information Commissioner is on record as saying that:
‘Given that Subject Access Requests have been a feature of data protection law since the 1980s, your information management system should facilitate dealing with SARs.’
Information Commissioner, SAR Code of practice 20170609, V1.2
The GDPR increases the protections afforded to Data Subjects, and whilst the subject of SARs contains only minor changes. Companies should be aware that the number of SARs they could potentially receive will increase if only because citizens are becoming more aware of their rights with regards to their personal data.
It is interesting to note that tweeting a subject access request to a company is as equally valid as writing a letter, sending an email or even a Facebook message. In requesting a copy of their data, a data subject does not have to make reference to the GDPR, or any other law. They do not need to send the request to the Companies Data Protection Officer. In all of these cases a company would be legally compelled to respond. The need to train staff at all levels of an organisation is clear.
Under the Data Protection Act 1998 companies were entitled to charge for providing information in response to a SAR. Under the GDPR you are not permitted to charge and the time period in which to respond has been reduced from 40 days to 1 month.
It would seem sensible then, for companies to make adjustments to their corporate IT systems. The GDPR includes a recommendation that information is supplied in an electronic form, and that where possible:
‘The controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. ‘ GDPR (63).
Data subjects are entitled to access to all of their data, both current and historic. As such the data to be provided extends beyond the live business systems, into data archives, and backups. SAP products such as Information Lifecycle Manager facilitate the discovery of personal data across all of these systems and beyond.
Companies that have yet to invest in such capabilities are well advised to do so.
Having done so it would seem sensible to incorporate the functionality into a privacy dashboard that the data subject could access. Perhaps as a web page in their account on the company’s web site.
The use of a privacy dashboard would go a long way to both relieving businesses of the increased workload in fulfilling an increased number or SAR’s. It would also fulfil requirements around security and ensuring you are providing information to the correct data subject. The need to respond to requests in a timely and cost neutral manner could be met by automating the process of information retrieval. Business also needs to be mindful of the need to make reasonable adjustments as per the Disability Discrimination act 1995, ensuring that information is provided to data subjects in an accessible form.
The European Commission and the Information Commission have both stated that the GDPR represents an opportunity for businesses to build a closer and more trusting relationship with their customers along with an efficient, clear and transparent process to respond to Subject Access Requests is just one of the ways companies can build this relationship.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed Group and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.