GDPR - Your obligations

GDPR - Your obligations's Tags

Tags related to this article

GDPR - Your obligations

Published 18 October 2018

Now that the GDPR compliance emails flooding our inboxes have finally started to subside, it is perhaps timely to briefly outline the duties and obligations on you or your firm, as Data Controllers, when a data subject access request (“DSAR”) is received and provide some practical tips on how best to react when you do. 

On 25 May 2018 the General Data Protection Regulations replaced the old regime, governed by the Data Protection Act 1998 ("DPA 1998").  As with the predecessor legislation, this retains a data subject's right to access their personal data under Article 15 of the GDPR.  That entitlement includes the rights to receive a copy of that personal data, and other information about the purposes of processing and retaining the same, as well as the identity of any recipients.

However, it is worth bearing in mind the below changes in the GDPR from the old regime:

  • The £10 fee has now been abolished and no charge at all can now be made for complying with a DSAR.
  • The period of time to respond to a DSAR has been reduced from 40 days to one calendar month.
  • The range of information to be provided has expanded and now includes the source of the data, the period for which it is envisaged that the data will be stored, and a summary of certain of the data subject’s rights.

Complying with these requests are often time-consuming and costly.  Although firms may refuse to act on the request if it is "manifestly unfounded or excessive", it will be up to the firm to demonstrate this. However, it is not yet clear how this will be interpreted.

There are also certain exemptions for certain sorts of information and these are set out in the Data Protection Act 2018 and in particular, Schedule 2. Many categories will be familiar from DPA 1998 such as national security, crime prevention and regulatory functions. However, we are seeing an increase in the number of DSARs made in relation to potential claims or proceedings and one of the most important exemptions for many organisations is likely to be personal data in respect of legal professional privilege that may apply in legal proceedings.

When responding to a DSAR, the Data Controller must verify the identity of the person making the request using "reasonable means".  The Data Controller's response should be in writing or potentially by electronic means. Where the request was originally made by electronic means, the information should be provided in "a commonly used" electronic form unless otherwise requested by the data subject.  A copy of the personal data must also be provided, whilst making sure that there is no inadvertent disclosure of personal data about others. The following information must also be provided:

  • The purpose of the processing.
  • Categories of personal data.
  • Recipient or categories of recipient to whom personal data has been disclosed to whom it will be disclosed.
  • Source of personal data.
  • Retention periods.
  • The existence of the right to request rectification or erasure of personal data, the right to restrict processing of personal data and the right to object to processing of personal data.
  • If personal data is transferred outside the EEA, the data subject has the right to be informed of any safeguards in place.
  • The right to lodge a complaint with a supervisory authority.

The information to be provided in response to a DSAR has expanded and such requests are becoming increasingly common. DSARs can raise difficult issues in terms of volume of data and identification of third parties, but are likely to be used increasingly in eliciting information from firms where pre-actions requests are likely to fail.


Only time will tell how the new requirements are applied to requests of this type.  Having robust processes and systems in place, to ensure absolute consistency and strive to meet the obligations in a truly proportionate manner, will be crucial. 

For further information please see: GDPR: Top 5 Tips – 11 July 2018

Authors

Becky Lea

Becky Lea

Bristol

+44 (0)117 918 2739

< Back to articles