The “right to access” is one of the rights that the General Data Protection Regulation (GDPR) affords people in the European Union (EU). It gives consumers the power to obtain a copy of their personal data and other supplementary information that has been collected online by a business. It also gives them the right to ask the business how and why their data is collected and used—and whether that has been done legally.
To ensure these rights are upheld, the GDPR requires businesses to know how to respond to a GDPR request (aka subject access request or SAR), which involves steps such as verifying requests, identifying data, and securely delivering copies of that information to the requester.
A person can make an SAR verbally or in writing or even through social media. There’s no need to use certain language, refer to any data privacy laws, or direct the request to specific contacts. As long as it’s clear that a person is asking for their own personal data, then it’s valid.
People can even make SARs through third parties such as relatives, friends, or solicitors, though businesses must ensure that the third party has the authority to request information on another’s behalf.
If children make SARs, businesses must determine whether the minor is sufficiently competent to understand their rights. If so, the business can respond to the child directly. Otherwise, a parent or guardian must exercise the rights of the child on their behalf.
To effectively respond to a SAR, businesses (and under the new data protection rules for small businesses, these include all company sizes) must have a GDPR request response process. This procedure should act as the guideline for your company in responding, processing, and recording SARs, and it should be included in a GDPR-compliant, updated privacy policy. But how often should a privacy policy be updated? Read more here to find out.
The steps to respond to a SAR are:
Once you receive a SAR, you must comply “without undue delay”. At the latest, you should respond within one month after receiving the valid request, confirmation of the requestor’s identity, or a fee. You can extend the time to comply by up to two months if the request is complex or if the individual has sent in multiple SARs.
A request is considered complex based on the nature or volume of the SAR or the resources of a business to process it. Some examples include technical issues, confidentiality problems, or the requirement of specialist work.
Because of the nature of personal data, it’s important to ensure that it’s only accessible to the relevant individual (the data subject). Businesses must be responsible for the verification of a requestor’s identity, using whatever proof of identification that will confirm that the requestor is asking for their own personal data (e.g. an I.D.). The exception applies when a SAR is made through a third party, in which case, the business must seek reassurance that the third party is authorized to make the request on another’s behalf.
Additionally, businesses can clarify SARs with their requestors, particularly if the request deals with a particularly large amount of data. That said, clarification isn’t necessary if the business chooses to perform a reasonable search instead.
Businesses must make reasonable and proportionate efforts to find and retrieve the information requested from its hard copy or electronic files. These may include data in various forms such as texts, audio, or video.
Individuals are entitled to a copy of the personal data (and other supplementary information) requested. If someone requests a large amount of data, businesses can provide excerpts. Businesses may also exclude some data that is exempted from SARs or redact non-relevant information.
Before disclosing personal data, it’s important to know the preferred medium for the response. Usually, if someone submits their request by email, you can respond the same way to share the personal data. But they may also request a different form of response that is more accessible to them, such as via email or fax.
All SARS should be kept on record to keep track of the personal data disclosed and the steps taken to comply with the SAR. This can be helpful in case the requestor brings up any issues with enforcers of the law.
Read more: What is a RoPA under GDPR?
Responding to GDPR requests is the responsibility of businesses. So it’s imperative for all companies that do business with consumers in the European Union to comply with the regulations on consumers’ right to access.