GDPR Register Request Data

Under the GDPR, individuals will have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).

These are similar to existing subject access rights under the DPA.

The Request Data Register is a register to record all data requests within your privacy network.

The data entry form for each register entry allows you to record the following:

• The status of this request;
  • New
  • Pending Assessment
  • Pending Response
  • Pending Authorisation
  • Pending Action
  • Closed
• Data Request Title: e.g. Request for all data held on Mr J Smith.
• Notification Method: e.g. Email, Telephone call.
• Requesting Notes: Describe all details known about the request e.g.Received un-solicited postal mail
• Data Assessment: What personal data will be effected by this request e.g. Contact information relating to web site sign ups for similar products.  T&C using positive sign up, informed users data will be sent to partners.
• Data Subject: Based on the Data Assessment what actual data items/people are effected e.g. Data possibly efffected is Name, Address, Email, Telephone.
• Data Subject Response: The Data Subject(s) (Individual, Groups, Company, etc) response. e.g. Please remove all data from your systems.
• Recommendations: Based on the Data Assessment, Data Subject Response and Policy/Procedures in place, recomendations to close out this item. e.g. Provide a summary of all data via email
• Actions: A log of all actions that were generated as part of this entry.

Further Information

What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).

Can I charge a fee for dealing with a subject access request?

You must provide a copy of the information free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.

However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information.

How long do I have to comply?

You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt.

You will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:

• charge a reasonable fee taking into account the administrative costs of providing the information; or
• refuse to respond.

Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

How should the information be provided?

You must verify the identity of the person making the request, using “reasonable means”.

If the request is made electronically, you should provide the information in a commonly used electronic format.

The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.

The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.

What about requests for large amounts of personal data?

Where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to (Recital 63).

The GDPR does not introduce an exemption for requests that relate to large amounts of data, but you may be able to consider whether the request is manifestly unfounded or excessive.