Unless you’ve been living under a rock for the last few months, you will know that the General Data Protection Regulation (the “GDPR”) came into force on 25 May 2018. The GDPR has clarified and extended the rights of individuals to access and control their data. In this article, we offer a practical guide to dealing with data subject access requests by individuals under the GDPR.

Now, more than ever, organisations need to be aware of their obligations to protect personal data and provide transparency on how they process it.

In summary, the GDPR provides the following rights for individuals:

  1. The right to be informed (Articles 12-14 and Recitals 58-62);
  2. The right of access (Articles 12 and 15 and Recital 63);
  3. The right to rectification (Article 16);
  4. The right to erasure (Article 17 and Recitals 65 and 66);
  5. The right to restrict processing (Article 18);
  6. The right to data portability (Article 20 and Recital 68);
  7. The right to object (Article 21 and Recitals 69 and 70);
  8. The right not to be subject to automated decision-making (Article 22 and Recital 71); and
  9. The right to be notified of a data security breach (Article 34 and Recital 86)

This article focusses on the right of access and offers a six-point practical guide to dealing with a data subject access request (“DSAR”) under the GDPR.

1. Recognising a DSAR

It might seem obvious but the first step to responding to a DSAR and complying with your GDPR requirements is recognising when a DSAR has been made. Unfortunately, the GDPR does not specify how an individual should make a valid request and guidance from the ICO simply states: “An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.”

To be on the safe side, therefore, you should assume that if an individual asks for their personal data this constitutes a valid request under the GDPR. It is important that all staff members within an organisation have some basic training on the GDPR and at the very least, can recognise a request and pass it on to the relevant person within the organisation who will deal with it.

Some experts have recommended that larger organisations (which are more likely to receive lots of DSARs) provide a standard form on their website for individuals to complete in order to make a DSAR. However, as there is no requirement for individuals to actually use such a form, creating one may create added confusion and unnecessary administration.

2. Move quickly – you only have a month

You must act on a DSAR “without undue delay” and respond within one month of receipt. This is a shorter time period than the 40 days previously allowed under the old Data Protection Act 1998 (the “DPA 1998”) and so organisations need to be on the ball.

However, it is possible to extend the time in which to respond by a further two months if the DSAR is particularly complex or if a number of requests from the same individual have been made. In which case, you must let the individual know within one month of receiving the DSAR that you need further time.

3. Dealing with excessive requests

You cannot ordinarily charge a fee for complying with a DSAR – the £10 fee under the DPA 1998 has been scrapped. However, if a DSAR is “manifestly unfounded or excessive” you are able to:

  1. charge a “reasonable” fee to comply with the DSAR; or
  2. refuse to deal with the request at all (GDPR Article 12(5)).

In relation to what might be seen as a “reasonable” fee, it is noted that Section 12 of the new Data Protection Act 2018 (the UK law implementing the GDPR) (“DPA 2018”) provides that the Secretary of State may publish guidance on what is considered to be reasonable. Until such guidance is published, requesting money from an individual in order to comply with their DSAR should be approached with caution.

Similarly, whilst the right to refuse to deal with a DSAR might be helpful for organisations dealing with vexatious litigators making numerous identical requests, given it is still early days in the life of the GDPR and it is unclear as to what the ICO will regard as “manifestly unfounded or excessive”, caution should be taken when considering refusing a DSAR.

If you do choose to refuse to deal with a DSAR, you must inform the individual without undue delay and within one month of receipt of the request:

  1. the reasons you are not taking action;
  2. their right to make a complaint to the ICO or another supervisory authority; and
  3. their ability to seek to enforce their right through a judicial remedy.

4. Identifying and searching for data

In our experience, responding to DSARs can be a time consuming and labour intensive exercise, especially where an individual makes a broad request for access to all of their personal data.

Under the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person” and a low bar is set for “identifiable”. If anyone can identify a natural person using “all means reasonably likely to be used” the information is personal data.

The ICO has stated that “if you process a large amount of information about an individual you can ask them for more information to clarify their request”. So, where a particularly broad request is received, it might be sensible to seek to agree the search parameters with the requester. However, note that the ICO makes it clear that “you should only ask for information that you reasonably need to find the personal data covered by the request”. Further, whilst the period for responding to the request only begins when you receive the additional information, the ICO is likely to take a dim view of any organisation seeking clarification simply as a delaying tactic. In any event, if an individual refuses to provide the additional information requested, you are still obliged to comply with the request by making “reasonable searches”.

We would advise that every organisation has someone who is in charge of coordinating the search for an individual’s data and responding to a DSAR. Specialist document management providers can assist with carrying out searches using date range and keyword parameters. Whilst such services come at a cost, investing in this technology can not only ensure you comply with the DSAR in time but will also to demonstrate to the requester (and, if it comes to it, the ICO) that you have done your utmost to capture all the relevant personal data.

5. Right to withhold

One of the most challenging aspects of dealing with a DSAR is deciding what an organisation can legitimately withhold from the requester. Section 45(4) of the DPA 2018 specifies that you can withhold personal data if it is necessary and proportionate to do so to:

  1. avoid obstructing an official or legal inquiry, investigation or procedure;
  2. avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  3. protect public security;
  4. protect national security; or
  5. protect the rights and freedoms of others.

Of particular concern will be ensuring that, in responding to the DSAR, you are not disclosing the personal data of other individuals. On this, the new DPA 2018 states that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information unless:

  1. the other individual has consented to the disclosure;
  2. or it is reasonable to comply with the request without that individual’s consent.

Deciding whether to disclose information relating to a third party will involve balancing the data subject’s right of access against the other individual’s rights.

6. Form of response

In responding to a DSAR, organisations need to provide the following information to the requester:

  1. the purposes of and legal basis for the processing the personal data;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data has been disclosed;
  4. the period for which it is envisaged that the personal data will be stored;
  5. the existence of the data subject’s rights to request from the controller rectification or erasure of personal data or the restriction of its processing;
  6. the existence of the data subject’s right to lodge a complaint with the Commissioner; and
  7. communication of the personal data undergoing processing and of any available information as to its origin.

Whilst the above list may seem onerous, much of the information should already be set out in an organisation’s privacy policy/statement and so can be lifted from that.

In terms of the form of the response itself, the GDPR requires that the information you provide to an individual is in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

It should be noted that the obligation to provide access to personal data is to the information, not the documents containing the information. However, in reality, it may be too difficult and time-consuming to separate the information from the documents and for this reason, it is not unusual for responses to DSARs to attach a series of documents held by an organisation containing the individual’s personal data. There is a suggestion in Recital 63 to the GDPR that the response to the DSAR should be made available to the individual via a secure online system. However, this is not a strict requirement and an organisation’s ability to do so will depend on its size and resources.