GDPR has been in force for more than a month now, and many organisations are coming to terms with the impact that the new regulations are having on their day to day practice.
Much of the media interest has focused on large scale data breaches, but many organisations are finding that the volume of subject access requests (SARs) are creating as much pressure as the threat of a breach.
SARs are not new - they were found in the Data Protection Act 1998. They entitle individuals to find out what personal data is held about them by an organisation, why the organisation is holding it, and who that organisation discloses their information to. This right continues under the GDPR.
The Information Commissioner's Office ("ICO") has updated its published guidance to assist organisations in dealing with requests from individuals for their data:https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
According to the ICO’s own official statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.
Under GDPR the request can be made verbally or in writing and can be made to any part of your organisation, including via social media. As long as it is clear that the individual is asking for their own personal data then it will be regarded as a valid request.
Few organisations have systems in place for recording these requests, particularly those made verbally or through less formal channels. This could cause problems when ensuring that these requests are handled in accordance with the requirements of the Data Protection Act 2018.
In most cases, no fee can be charged, unless the request is manifestly unfounded or excessive.
The request must be dealt with promptly and at the latest within one month of receipt. If the request is complex you can extend the time to respond, but you must let the individual know within one month in any event.
The responsibility for complying with a SAR lies with the controller; reliance on a 'processor' is not a good reason for failure to respond.
If you believe that there is good reason not to comply with the request you should inform the individual about the reasons, their right to complain to the ICO, and their ability to seek to enforce their right through a judicial remedy.
The ICO has a number of powers - this includes issuing warnings, reprimands, ordering compliance and imposing a large fine on an organisation that has breached the GDPR. If a fine is deemed appropriate the ICO will have considerable discretion to set the level. There are no fixed penalties or minimum fines. The ICO will take into account past conduct.
As with any new regime there will be uncertainty around the imposition of fines and the level of those fines. But having robust systems in place and acting in good faith in response to any requests will go a long way to restrict any corrective measures or fines that could be imposed.
It is also worth bearing in mind that under the GDPR the rights to claim compensation have been expanded. Any data subject that has suffered material or immaterial damage as a result of processing that is not in compliance with the Regulation will have the right to receive compensation from the controller for the damage suffered.
The Data Protection Act 2018 makes it a criminal offence to alter, deface, block, erase, destroy or conceal personal data to prevent disclosure to a data subject. So it is therefore important to fully understand which exemptions if any you can rely on when responding to SARs.
We have already noticed a significant increase in enquiries from individuals seeking to bring a civil claim against an organisation for breaches of the GDPR. Whilst the level of damages they are entitled to may be low, the cost to the organisation of dealing with such claims can quickly escalate. Time spent getting robust policies and procedures in place now may pay dividends in the long run.
If you have an enquiries relating to a civil claim contact Christopher Francis
Data protection webinar: privacy considerations for workplace monitoring
Assessing the impact of the Clearview AI decision - how clear is the future of the UK’s AI data protection law?
Considering professional negligence in the use of AI - whose fault is it anyway?
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
