The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will change the rules when it comes to data subject access requests. Under current data protection legislation in Ireland, a data subject access request is the legal mechanism by which a data subject (which can be an employee, customer or user) is able to obtain a full account of all their personal data an organisation holds. An individual can also request (upon paying a fee which cannot exceed €6.35) a copy of all their personal data which an organisation has to make available within 40 days. However amongst the numerous changes the GDPR will bring in are new rules when it comes to data subject access requests:
- Format: Although the current law does not specify the exact format in which a data subject's personal data has to be provided in, the GDPR makes it clear that personal data must be provided in soft copy where requested.
- Time Limit: Under Section 4 of the current Data Protection Acts 1988 and 2003 an organisation must make a copy of the data subject's personal data available to them within 40 days. However under GDPR this will be reduced to one month.
- Fee: Unless the cost of producing a copy of the personal data requested is "excessive" (and it is expected that this will be an extremely difficult threshold to reach), organisations will no longer be able to charge a fee for processing a data subject access request. Given that this fee had to be paid via bank draft or cheque it effectively operated as an administrative barrier to the filing of data subject access requests despite its nominal amount. Under GDPR this barrier will be removed.
- Additional Information: The GDPR mandates that additional information, such as details around data retention periods, the extent of automated decision-making used and the source of personal data, will have to be provided.
According to the Office of the Data Protection Commissioner (ODPC), data access requests currently account for over 50% of all complaints and, while in 2016, they received approximately 1400 complaints, by August 2017 it had already received more than 1600. The ODPC has also identified co-operation from organisations as a key issue as well as a lack of preparation in terms of policies and procedures to manage requests.
Given the scale of data passing through organisations, in addition to the eye-watering fines for non-compliance, the time is now for Irish businesses to familiarise themselves with their obligations under the GDPR with regard to data subject access requests.