Complying with GDPR When a Subject Sends an Access Request
One of the many significant changes brought about by GDPR was the data subject’s greater right of access to personal information. And that is far-reaching. The data controller must fulfil a subject access request (SAR) within a month to comply with GDPR. So, the correct systems must be in place to make sure this happens. To get a better grasp of this, what access rights do data subjects have?
Subject Access Rights
Under GDPR, a data subject is a person who is identifiable from the information which a controller holds on them. The controller is the party that decides the how and why of data processing and bears the most legal responsibility. Third parties handling the data on behalf of a controller are “data processors”. They also have obligations by law.
In the interests of transparency, GDPR gives individuals a full right of access to their data under Article 15. They have a right to know or do the following:
- The purposes of data processing
- The categories of personal data collected
- The recipients or recipient categories to whom personal data has been or will be disclosed
- The period of data storage or the criteria for determining that period
- The source of the data if not obtained first-hand
- The existence of automated decision making
- The logic involved in automated decision making and any risks it poses
- The safeguards in place for the passing of data to a third country or global body (GDPR Article 46)
- Object to data processing and lodge a complaint with a supervisory authority
- Obtain a copy of data undergoing processing
On top of these rights, data subjects have the right to correct or erase data or move it to a third party. The latter is “data portability”. Of course, there are others such as the right to be informed of a data breach, the right to withdraw a consent, the right to restriction of processing and the rights to children. Those are not being detailed because of the chosen example. All this needs infrastructure on the part of the company. A system should be in place that deals efficiently with Subject Access Requests (SARs).
Handling SARs exposes any failings in data management. Data mapping is a vital part of responding to a SAR, since the controller must know where data resides, to respond in good time. Compliance software such as PrivIQ helps achieve this for SMEs.
Data minimisation is a key part of GDPR compliance. That means carrying out frequent inventories of data and deleting whatever is surplus. Controllers shouldn’t store personal data beyond the period originally stated. Efficiency in this area makes it easier to deal with a SAR.
Subject Access Request; an Example
Let’s imagine a motor insurance company called Starry Car Insurance. Within that company, several departments might need access to personal data, including Claims, Finance, Underwriting and Customer Care. The problem with centrally stored, easily accessible data, is that it goes astray. It gets copied, moved, and soon the company is suffering from “data sprawl”. An efficient system of data management is the solution.
Starry Car Insurance receives a SAR from Mr Joe Bloggs, who is keen to know what data the company holds on him. He sends the request by email. The company now has up to 30 days to satisfy the request. What processes must Starry Car follow?
1. Initial Response
First, it’s essential to confirm the identity of Mr Bloggs. Otherwise, Starry Car risks breaching GDPR by handing over personal data to a malicious party. The company would also ask at this point how the data subject wants delivery of the information. This might be in writing or by email.
Having received the SAR, the person responsible at Starry Car starts documenting the request over its entire life cycle. Keeping records of an access request and all its stages is a vital part of GDPR. This is where software such as PrivIQ is a boon to small or mid-sized businesses. Built-in SAR management tracks a SAR and archives all aspects of it.
2. Gathering the Information
After verifying the subject’s ID, the Starry Car SAR handler liaises with departments to gather information. Remember, each department only has access to the data it needs, and all staff know their data-handling responsibilities.
During a SAR, all relevant departments must check digital data, any paper records (filed methodically) and search email systems for any emails which identify the subject. Deleted records are exempt, even if they are retrievable using technical expertise.
In line with data minimisation, each department only holds the data necessary to do its job. In Starry Car, the Claims department knows Mr Bloggs’ policy number and can identify him through that. It might also store a history of previous claims. The Finance department has the customer’s bank details or identifiers such as IBAN numbers. And so on.
It’s the job of the IT department to know which systems store personal data and put adequate security in place to protect them and it. A process must exist which enables the identifying and reporting of data breaches within 72 hours.
3. Reviewing the Information
At the review stage, Starry Car decides if all the data it stores is safe to disclose. For instance, details of third parties should not be given without reason. Other persons might have been involved in a traffic accident with Mr Bloggs, for example. A SAR always needs a response, even where no data is held.
4. The Final Response
Within 30 days, Starry Car sends the requested information to Joe Bloggs in the agreed format. Under GDPR Article 15, this communication should be clear to the average person and free of any industry jargon or unexplained codes. Starry Car keeps a record of the entire process, not least to show compliance in the event of a further query.
Get Ready to Prove Compliance
Using compliance software such as PrivIQ eases the SAR process. You can add a form to your website to control requests and make sure subjects supply all the information you need. Complementary features such as data mapping help you to pinpoint the data you hold. A subject access request brings GDPR into sharp relief. If your business is not ready for such a test, get started now!