Data Subject Access Requests Under GDPR
By PlanetVerify on 27 Sep 2017
SARs & DARs
The General Data Protection Regulation (GDPR) is a set of principles and rules that guide usage, storage, and protection of data. In Ireland this will replace the 1988 and 2003 Data Protection Acts and in the UK the 1998 Data Protection Act. The new GDPR rules will start to take effect from 25 May 2018, and organisations will need to get ready to meet its many new requirements, including those organisations outside the EU who hold personal data on EU residents.
Consumer and Employee Rights
One of the key aspects of the GDPR is the rights it gives to data subjects for their personal data that has been collected. Under this regulation, data subjects have the right to receive from the data controller information about their personal data and copies of it (this is referred to as subject access requests or SARs), the rights to rectify their personal data, delete it, receive it in electronic form so that they can move it to another organisation (portability), and restrict any processing on it or object to its processing. Organisations need to be able to respond efficiently and effectively to any of these types of requests in a timely manner. The optimal solution is to automate the response.
SARs are requests made by a data subject for the information a company holds about their personal data, why they hold this personal data and to whom they disclose it to. For the information to constitute as personal data, it must be about a living human being, and it should allow the person to be identified on its own or with other added information. According to the GDPR, the following areas related to SARs need to be taken into account by most organizations.
Under the GDPR, no fees should be charged to individuals when they want to access their personal data from organisations. Companies will however be allowed to charge a reasonable fee for additional copies. Previously, under the Data Protection Act(s), a fee was allowed to be charged per every SAR responded to. The no fee charge is a significant change, one that may significantly increase the administrative work of data controller organisations. The ability to automate the response to SARs will help organisations deal with this administrative burden.
Time limits for responding to the SARs
Time limit under the GDPR is reduced. With the Data Protection Act(s), organizations had up to 40 days to reply to the requests made. Under the GDPR, data controllers are to respond without undue delay and have up to 30 days to respond to a SAR. When the requests made are complex and of a significant number, an organisation may extend the response time by up to two months but must notify the data subject within a month of receiving the request, explaining the reason for the delay.
Format to use while responding to SARs
When a data subject makes the request electronically, the response should be provided in a commonly used electronic format unless otherwise requested by the data subject. Organizations should come up with reasonable ways of verifying the identity of the person making the information requests before giving out the personal data. This is to ensure the security of the data subject’s personal data.
PlanetVerify offers services that would enable companies to comply with its obligations under the GDPR for responding to SARs. Here’s how we do it and what we offer:
- PlanetVerify ultra secure fully encrypted hosted solution which will come a long way in helping to secure and store your client data in accordance with the set GDPR.
- Through the use of PlanetVerify, organizations will be able to efficiently comply with the new rights of your customers and employees. Organizations will also be able to rapidly respond to SARs.
- Organizations will be able to effectively track important document expiry dates and continuous maintenance of current client files through the use of PlanetVerify automated data request scheduling feature.
- PlanetVerify provides its clients with an audit-ready data trail of how they manage and obtain data subjects’ personal data. It also helps to show they acted in a transparent manner and according to the GDPR in their records maintenance.