In this edition of ‘Are you ready for GDPR’, we take a look at the right of individuals to access the personal data held by business and organisations and consider what systems and processes should be put in place to enable organisations to comply with any requests for information.

Article 15 of the Regulations put in place a mechanism broadly similar in nature to the current Subject Access Request requirements set out in the Data Protection Act 1988.  Those organisations that currently receive and comply with such requests should find the transition under the right of access straightforward, although attention is drawn to the new time and charging requirements. 

Recital 16 of the GDPR states

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing”

This requirement highlights the need of businesses to ensure that they have appropriately and adequately complied with information requirements for the establishment of a lawful basis for processing personal data, recording this for each processing purpose, and maintaining records of accountability (ie privacy notices etc).   It further highlights the requirement to safeguard robust processes and procedures for recording and storing personal data to guarantee that relevant information is easily accessible in the event of a request being received. 

The importance to the individual of having access is ultimately to provide an opportunity for confirming that their data is being processed and for assessing the lawfulness of that processing.

In accordance with article 12(5), any information provided pursuant to a request must be provided free of charge, save in the event that such requests are ‘manifestly unfounded or excessive, in particular, due to their repetitive nature’.  In such circumstances, a reasonable administrative charge can be applied for providing the information, or the request can be refused. 

Any such request must be completed without undue delay, and in any event within one month of receipt by the data controller.   This period may be extended by a further period of two months taking into account the complexity and/or a number of requests and provided that the data subject is notified of the reason for the extension within one month of the date of receipt of the request. 

Businesses should, therefore, ensure that they put in place systems and processes for recording and complying with requests for information.  Failure to provide information in accordance with the regulations opens up the possibility of a referral to the Information Commissioner Office, with the potential for damages payable to the data subject and/or a fine being applied.

If you would like to receive advice and assistance in relation to your obligations to provide information to data subjects under the GDPR then please contact Richard Burraston on 01293 596984 or by e-mail at Richard.burraston@stevensdrake.com or Paul Dungate on 01293 596981 or by e-mail at paul.dungate@stevensdrake.com