The background – why you should be interested
The enforcement of the General Data Protection Regulation (GDPR) in May 2018, has brought about an increased awareness among ‘data subjects’ (your customers, clients, employees etc.) of their rights. In fact, most of the rights had been around for 20 years it’s just that the vast majority of the public were either unaware of them or were not that bothered. I believe this situation is changing, not least of which because it’s now law that a business must provide a fair processing notice at the point of data collection, and this must include a reminder about data protection rights. If your business has the role of the data controller, that is to say, you are determining the purpose for which the personal data you collect is being processed, then this blog applies to you.
Data subjects have the right to complain about a business to the relevant supervisory authority which, in the UK, is the Information Commissioner’s Office (ICO). They don’t have to inform that business beforehand, so you may never know how many complaints the ICO will have received about your business! If enough complaints are received, commensurate to the size of your operation, then eventually the ICO will take a close interest in how you are processing personal data.
The blog is intended to of an educational nature and only covers the key areas of the relevant legislation; it does not constitute legal advice.
The rights of a data subject
From the point of view of data subjects, their rights are as follows:
• Right to be informed as to how their personal data is being processed – this is normally done via a fair processing notice (see below);
• Right to access to their personal data being held/ processed – this is initiated by the data subject making a ‘Data Subject Access Request’ (DSAR) which can be done in writing, by email or even a phone call;
• Right to rectification of their personal data if they believe the personal data being processed is incorrect or that it needs to be updated;
• Right to erasure of their personal data for which you no longer have a legitimate purpose to process. It’s sometimes referred to as the ‘right to be forgotten’;
• Right to restrict processing when, under certain circumstances, a data subject, wants their personal data to be taken out of operational use for a specific purpose;
• Right to data portability of their personal data when it’s in a machine-readable version and has been provided with their consent or under a contract;
• Right to object to their personal data being processed for which you have no legal or contractual obligation to process their data, often associated with direct marketing; and
• Rights related to automated decision making and profiling when a data subject can ask that a decision made autonomously, be reviewed by a human.
Although the GDPR (chapter III) spells out clearly what data subjects may ask a data controller, whether you need to respond in full very much depends on the relationship you have with them and the nature of the personal data being processed. In other words, exceptions may apply but you will need to refer to the GDPR and the Data Protection Act 2018 for more details. Even if exceptions do apply, you will still need to respond with a justification why you are not going to comply with the request. This must happen within the first calendar month unless you have previously justified an extension.
The business response – what you need to know
The rights process applies to all of the above rights and can be summarised as follows:
- You must respond within one calendar month which is calculated from the day after receiving the request. If the deadline is a weekend or a bank holiday, then the next working day applies;
- For complex or multiple requests, you may have up to 2 more months, but you must respond in the first month with an explanation. It should be noted that the term ‘complexity’ relates to the request, not the effort involved for you to provide an answer;
- Before taking any positive action, you need to be sure that you are dealing with the right person, this means doing some form of identity check. It’s your choice how this is done but you should be wary of collecting even more personal data from the individual just to prove they are, who they say they are;
- You must decide whether a request is either ‘manifestly excessive’ or ‘unfounded’. Unfortunately, these terms are not defined but to most businesses, the situations will be obvious. An example could be where a business is subject to an organised deluge of DSARs in a very short time period; and
- You must decide whether you can make a charge for the service. The default position is that requests attract no payment, but you may apply a reasonable administrative fee if, for example, multiple copies of a DSAR response are requested.
Avoiding the shock – making your life easier
It is unlikely that you will want to employ a full-time staff member just to handle these requests, especially as, at the moment, such requests are rare. However, when a request is received, someone’s time is going to have to be diverted from their day job to deal with it. Just one request can be hugely resourced intensive and very distracting. It follows that if you are prepared, the disruption to your business is going to be reduced, hopefully to a manageable level. Below, you can find a list of points to consider ahead of receiving your first request.
- Review your fair processing notice and improve it. Having a mature notice will do much to instil a sense of confidence that you are doing things properly. This may even discourage them from ever making a request. Furthermore, a well-written notice will form part of your response to DSARs;
- Make sure you know where your data is and follow your own retention rules. If you can lawfully reduce the amount of personal data you are storing, then you are reducing your liability as well as the effort of trying to retrieve it;
- Devise a means of receiving requests efficiently. For instance, you could provide a downloadable form on your website, but you cannot insist it is used.
- Make sure your staff are trained to recognise requests and that they know to whom requests should be directed so no time is lost internally;
- Create a flow chart or a ‘what if’ action plan based on a variety of scenarios which identifies the staff members who will be involved in providing the response;
- Determine the scope of the request and, if necessary, try to narrow it down by asking the data subject to ask for more information; this may save you a lot of time;
- Develop a strategy for confirming the requester’s identity, for example, to ask for photo ID. If more personal data is being asked for then you currently hold, consider creating an associated privacy notice to deal with this very scenario.
- Apportion responsibilities for the process including who it is in your organisation that makes the decision to release personal data, for instance, or decline a request;
- Conduct a series of dummy requests that involve the relevant staff members, so they are familiar with the process when requests are received; and
- Keep a record of all correspondence, emails, calls with the requester as well as the actions taken by you, from the start of the process to its conclusion.
Understanding what you need to do when faced with someone exercising their rights is not an option because you have legal responsibilities. Such things as DSARs are much easier to make then they are to deal with. Knowing what needs to be done and having measures in place before requests arrive is, without doubt, the best approach.
Measures do not have to be elaborate or expensive. Use of simple spreadsheets, an organised approach to data storage and good staff training will do much to prepare you for the majority of challenges. Any time saved in preparation is time that your staff can use to run your business more productively – now that must be a good thing!