Business Technology

How GDPR has changed the use of Subject Access Requests

6 min read

22 January 2018

Former deputy editor

Subject Access Requests aren’t anything new under the GDPR and, in fact, individuals have been able to request all the personal information you hold on them under the Data Protection Act, but the GDPR makes some notable changes to the process.

Our GDPR doctors series continues, as our legal and technical experts explain what companies can do to prepare for the arrival of GDPR. This week the focus is on Subject Access Requests, which Neil Larkins, COO of Egress Software Technologies, explains, building on from his insights on the importance of an audit trail.

The question Larkins tackles is:

I understand that under GDPR, customers or partners can ask to see all the personal data we hold on them. How can we get data visibility into all the information we hold on someone so we’d be able to comply in the event we receive such a request?

In a previous post, I answered a question around the importance of audit trails when it comes to GDPR and, in terms of getting general data visibility, the principles laid out there apply.

Subject Access Requests aren’t anything new under the GDPR and, in fact, individuals have been able to request all the personal information you hold on them under the Data Protection Act, but the GDPR makes some notable changes to the process. Without getting into too much detail, changes include:

  • Companies can no longer charge a fee for Subject Access Requests (under the DPA, they could charge up to £10 per request)
  • You now have 30 days to respond to any Subject Access Requests (shortened from the current 40-day deadline)
  • Subjects can now make requests electronically and, in reply, the information you send back needs to be in a commonly used electronic format

While these changes may not seem too arduous, they do mean that you are going to have to respond quickly and won’t be compensated for the time. What’s more, without a cost associated, customers may be more likely to submit a Subject Access Requests, so it’s worth being prepared for an increase in these requests.

You’ll probably want to implement a process for dealing with these requests – particularly as there is no guarantee as to who they will be directed at. That means that everyone – or at least every customer facing member of staff, as well as HR – will need to know what to do if they received a Subject Access Request.

Depending on the size of your organisation, you might want to name a specific member of staff as responsible for co-ordinating the collection of data (such as a Data Protection Officer) who can ensure the request is fulfilled sufficiently and in time.

Next comes the collection of the information itself and, more specifically, locating it. Hopefully most of it will be digital but you will need to make sure that any physical data (such as copies of passports that have been sent in the post) are also included. Essentially, this requires having a robust system for storing data – whatever its format.

One challenge many organisations are likely to come up against is email archives. Given the amount of information that is sent over email, there’s every chance there’s some personal data that would be applicable for Subject Access Requests lurking in inboxes and archives across your organisation. You will need to be able to gather this quickly.

What’s more, individuals can also request to know if their information has been shared with a third party so if, for example, personal information of employees has been shared with an external HR provider, you’ll need to be able to confirm with whom the data was sent, when and for what purpose.

While this might sound like a huge undertaking, with the right tools and processes in place, it can be relatively straightforward. There are, for example, solutions available that will allow you to search for specific keywords across the company’s email and archives from a single dashboard, enabling you to quickly call up what you need.

Combined with a thorough filing system for all data within the company, as well as a process in place that everyone is aware of, these requests can be dealt with relatively easily.

However, as a final warning – be careful to redact or remove any information relating to other individuals.

If, for example, a chain of emails contains information on anyone other than the person requesting the data, it will be illegal to share it with anyone else. Be sure to add a final check on the information you’re sending out to make sure it can’t get you in hot water!

If you have burning GDPR questions that you’d like answered, please send them to Zen.Terrelonge@realbusiness.co.uk and we’ll get these answered for you.

GDPR doctor Neil Larkins co-founded Egress Software Technologies in 2007 and currently serves as chief operations officer, playing an instrumental role in shaping the strategic direction of the business, with particular emphasis on product and service development.


Understanding the meaning of personal data ahead of GDPR

This time on GDPR doctors, we have a new doctor of legal taking on an enquiry from a business leader who has raised some data concerns.