The new General Data Protection Regulation (the GDPR) is the first major revision of Europe's data protection laws for almost 20 years, and takes account of the explosion of technology and social media in that time. The GDPR takes effect on 25 May 2018, and will represent a fundamental change in the relationship between members of the public and anyone who holds information about them – whether it is a business, a government department or a charitable organisation.
Many people are now familiar with the "right to be forgotten", which will allow people to ask for the erasure of personal data, the mandatory reporting of "data breaches" (a term found in the existing Data Protection Directive that refers to all manner of offences) to regulators within 72 hours of their discovery, the appointment of qualified data protection officers and fines of up to €20 million or 4% of global annual turnover (whichever is greater) for the most serious transgressions.
The gravity of SARs
However, there will also be changes to "Subject Access Requests" (SARs), through which anyone can apply to a data controller (a government, business or charity that holds information on people) to see the data it holds on them.
Not many people make SARs under the existing law and most of those who do are plaintiffs - a SAR is useful as a "pre-action discovery tool" in a contentious claim.
SARs can represent a problem for organisations great and small. This is not necessarily because firms are reluctant to answer them – it is simply because organisations rarely hold data in such a way that allows them to extract it easily upon request. One of the cornerstones of GDPR is that businesses must understand what data they have and be able to access it with ease when asked to do so. An increase in the scope of SARs is expected under the new legislation, and the holders of data must be able to deal with those requests efficiently and in a shorter time period than today. Proper preparation is vital if firms want to keep the process cheap.
The current situation
Under the current Data Protection law (DPL), an individual's request for their personal data must be made in writing by letter, e-mail or fax. A request should include the requester's full name, address and contact telephone number. If the organisation in question has a dedicated data protection officer, the request may be made directly to them or to the organisation's website.
Once the SAR is received by the organisation, data controllers must carry out a search that is "reasonable and proportionate" to locate the individuals' personal data. The directive does not, unfortunately, offer its own interpretation of the word 'proportionate' for the benefit of compliance officers. Some people – perhaps most – that that a SAR that asks for "all the information about me" is disproportionate. The requester should therefore state the nature of the personal data they want in order to assist the data controller's search.
The statutory time limit is currently 40 calendar days in the UK and Jersey, and 60 days in Guernsey which starts to run from the date the data controller receives the request and any other information they may require, including the fee, identity documents and any further details to enable the data controller to locate the personal data.
Under the existing legislation, data controllers can charge a prescribed fee for responding to an SAR, with the maximum fee being £10. Different fees apply to requests for educational records, paper-based health records and to requests made to credit reference agencies. The individual should ensure that they has included a request for all of the information they require, as they may be charged an additional fee for any further request.
The GDPR will take effect from 25 May 2018, replacing the Data Protection Directive, and will automatically come into force in all EU member states. Article 15 of the GDPR deals with SARS and introduces a number of changes that enhance individuals' rights and widen the definition of "personal data"; the most significant of which are listed below:
1. Free of Charge
The GDPR requires a data controller to respond to every SAR request for free (which may pose the risk of greater volumes of requests). Whilst the first copy of an individual's data should be provided free of charge, the data controller may charge a reasonable fee based on administrative costs for any further copies requested by the data subject.
2. Refusal where excessive
It is possible to refuse to respond to an SAR if it is manifestly unfounded or excessive (or alternatively a reasonable fee for administration costs may be charged). Where large volumes of personal data are processed, the individual should specify exactly what information or processing activities their request relates to. The onus is on the data controller to prove that the request is manifestly unfounded or of excessive character. Only then can they refuse the request or charge an administration fee.
3. Electronic access and data portability
The GDPR requires the data controller to communicate the personal data undergoing processing to the data subject, together with any available information with regard to its source. If the data subject makes the SAR electronically (i.e. by email), the information must be made available to them in a commonly used electronic form, unless the individual requests otherwise.
This right is closely related to the new right under the GDPR to data portability, which is designed to permit the individual to quickly establish what types of data controllers hold about them and to extract that personal data in a compatible format for their own further use. They may put extra pressure on data controllers to put in place technical and organisational measures to ensure personal data can be extracted quickly and efficiently from systems and databases. The cost for this may well be significant.
4. Time periods for response
Data controllers will now only have one month to respond to an SAR. They may be able to extend this by a further two months taking into account the complexity of the request and the number of requests, but it seems likely that extensions of time will not be normal.
5. Right to withhold data
Under the GDPR an individual's right to obtain a copy of their data must be balanced against the rights and freedom of others. In cases where a third party's rights would be infringed, the firm can withhold data. While this provision is similar to an existing one under the Data Protection Law, the rights and freedoms that are recognised in the EU will change under the GDPR. Furthermore, EU member states are likely to introduce national derogations for personal data that benefit from legal privilege or that would prejudice law enforcement.
Whilst we are still waiting for local legislation to be drafted to understand the precise impact across the Member States, the UK government has commented that burdens on data controllers must be proportionate. They believe that the removal of the fee currently payable for subject access requests under the DPA would likely lead to an increase in repeated and vexatious requests that would ultimately be costly for businesses. It therefore appears that the UK government would favour retaining the current right of controllers to charge a small fee, but this is yet to be confirmed.
Businesses should start to plan for the GDPR now with the following action points:
- Review your records management systems and processes, both electronic and paper-based, to ensure they are consciously designed to support the efficient discovery of information
- Test your organisations ability to quickly isolate data relating to a specific individual in the necessary time period provided under the GDPR
- Identify a point of contact within the organisation that will deal with SARs and ensure that their contact details are easily available
- Roll out training to the necessary members of staff so they are able to quickly recognise and respond to an SAR
- Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests
- Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are being complied with
- Whilst not for all organisations, consider putting a subject access portal in place to allow individuals to access their information easily online
Although fines under the current legislation are comparatively low and enforcement has arguably been light, the GDPR will significantly increase the maximum fines. Currently, the ICO can issue fines of up to £500,000 for serious breaches of the DPA. Under the GDPR it will have the power to serve fines of up to 4% of a business' annual worldwide turnover of the preceding financial year, or €20 million (whichever is the greater), making compliance more important than ever.
A version of this article first appeared in Compliance Matters.