You come into work on Monday morning, log in to your emails and find a customer demanding their personal data from your organisation.
You're confused. You've never had to deal with this before.
You know deep down that you can't afford to do nothing otherwise, there could be some serious consequences for your organisation (I'll get into this later!)
Surely someone in the office will know what to do?
Unfortunately, no one really knows what to do.
You're sat at your desk thinking... "What do I do now?"
The good news is, you don't need to worry any longer.
You've found this article and I will provide you with the solutions you're looking for in an easy step-by-step format.
Ready to let go of that stress?
Let's get into this.
What is Considered Personal Data?
For something to be considered personal data:
- It must relate to a living person
- The person must be able to be identified from the data or alongside additional information in the organisation's possession
Whenever your customers ask for their personal data, it is known as a 'Subject Access Request'.
Understanding Subject Access Requests
According to the ICO's code of practice, the ICO formally define a Subject Access Request as "a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998".
Section 7 states that individuals are entitled to access any information any organisation holds about them and this is why you've received the request.
Your organisation has 30 calendar days to respond to the subject access request.
What happens if you ignore a Subject Access Request?
It feels weird even having to say this, but do not think it is okay to ignore a request. You're putting your organisation at risk by even considering it. Here's what can happen if you decide to become complacent with GDPR:
- By failing to maintain effective records of your processing activities, you face a fine of up to €10 million or 2% of your annual turnover of the preceding financial year. Whichever figure is higher, they will fine you that figure.
- By breaching processing principles, data subjects' rights and even more GDPR rules, you face a fine of up to €20m or 4% of your annual turnover of the preceding financial year. Again, whichever figure is higher, they will fine you that figure.
You get the point, don't ignore a subject access request!
Refusing a Subject Access Request
According to the ICO, you can refuse an entire request when:
- It is too expensive or time-consuming to deal with the request
- The request was made to cause adversity
- The request is the same as a previous request and came from the same person
What information are individuals entitled to from your organisation?
Individuals receive a copy of their personal information but they are also authorised to access more than just the copy:
- Individuals are entitled to know when any personal data is being processed
- Individuals are entitled to know the source of data
- Individuals are entitled to be given a description of personal data,
- Individuals are entitled to know why their personal data was processed and if it is being shared with other businesses.
- Individuals can also ask for the reasoning behind any automated decision
Recognising a subject access request
It isn't always easy to identify a subject access request as an individual doesn't need to use the phrase "subject access" or reference the data protection act for it to qualify as a Subject Access Request.
There is no specific or prescribed way for individuals to make a request, which means a request can come from a multitude of different sources.
This could include but is not limited to:
- Receiving a request via post
- Receiving a request via email
- Receiving a verbal request
- Receiving a request via social media channels
- Receiving a request via fax
Is your organisation set up to deal with Subject Access Requests?
As aforementioned, requests can come from anywhere and everywhere. You have to ask yourself whether you believe you have the measures in place which will allow your organisation to handle every single request that comes through.
So how do you make sure your organisation is set up in a way that enables you to successfully deal with these requests?
Firstly, even if you have a dedicated person who deals with client and customer data, anybody in your organisation could receive a subject access request at any moment. This is why it's important everyone understands what they need to do when a subject access request is received.
This will involve training for your employees.
It is incredibly important for all employees to have data protection training to be able to recognise a subject access request.
This means employees should be aware of what a subject request access is (you can share this article with them!) and the relevant employees need to be able to deal with the requests.
For instance, the receptionist should be able to confidently pass on the information to the relevant people who can deal with the request. These people will need more detailed training as they will most likely be taking positions of data controllers and data processors.
Secondly, you should look to give guidance to both customers and employees.
As also mentioned above, employees should be trained to know what to do for subject access requests. This needs to be supplemented with written guidance, for instance, a PDF that outlines the policies and procedures required.
For customers, you should look to create a dedicated in-house form to assist customers in providing details about their request, identities and any other information which will help you complete the request.
This should make it easier for customers to complete requests without the need to complain.
Lastly, once you've offered guidance and training, you need to track your compliance with subject access requests. This means your organisation is constantly reviewing the status of each request and ensuring that every request is completed in the 30 calendar day time frame.
Now that you understand what Subject Access Requests involve, let's see what you need to do in a step-by-step to respond to these requests.
1) Recognise the Subject Access Request
Earlier in this article, I stressed the importance of training your staff so that they are able to recognise a subject access request. Remember, whether the request has come from e-mail, post or a social media message, you need to be willing to act upon the request.
Once you have recognised the request, ask yourself, does this request fall within the definition for personal data? Individuals can only request information that relates to themselves, not other people.
Also, it is important to recognise whether the individual is asking for more than just their personal data. For instance, the individual may be looking to erase personal data (right to erasure) or amend incorrect personal data (right to rectification), as well as receiving a copy of their personal information.
2) Verify the individual
Is the individual requesting the information who they say they are?
I know it can be tempting to just assume the person is who they say they are, but you need to follow procedure, otherwise you could find yourself sending the right information to the wrong person or even being deceived.
You will need to ask for a recent utility bill or a photographic identification to verify their identity. It is best to stick with passports and licenses as the main form of photographic identification.
If the person requesting the information is your employee, you don't need to verify their identity assuming you already have their identification.
Also, only ask for the information you need and nothing more.
3) Further understand the Subject Access Request
Each request is different and there isn't one answer for every single request. This means you need to dive into each request individually:
- If you're unsure of what the individual wants, contact the individual and clarify the personal data they wish to receive. It is important to remember that they don't actually have to tell you why they want this data, but they could help you refine your search.
You can also ask the individual's preferred format for the response. With this extra clarity, you should be able to move forward and direct the request to the right people within your organisation if necessary.
- Could there be a fee attached to this request? There is the possibility that the request you have received falls under the "manifestly unfounded or excessive" category which would mean you are able to charge the individual.
- Will you be able to respond to the subject access request within the 30 calendar day time frame? If it is a complex request, you could get two extra months to respond but make sure to notify the individual if this is the case.
4) Identify, search, and collect the requested information
Every folder you have lying around the office, every electronic folder on your system and anywhere else you could have client data, will need to be searched to identify the information of the individual in question.
The data provided needs to be from the original record but you don't have to give the original record to the individual.
5) Identify Exemptions
Identifying what data to leave out is incredibly tricky, but crucial. For instance, you could be sending an individual somebody else's data and this would go against the Data Protection Act.
Another instance where you are required to retain information is when it is in the public and government's interest to withhold the data and also when it can interfere with a legal investigation.
This is completely tailored to the individual as it depends on the context at hand so you need to handle this situation with care and take your time with it.
6) Securely supply information to individual
You need to match the response with the format of the subject access request unless the individual has stated otherwise. For instance, if the individual has made the request electronically then you need to send them the response electronically.
7) Log the decision-making process
You should always record what you're doing, you need to protect your organisation and be able to prove when you are in the right. By noting down the decision-making process of the entire procedure, you can provide evidence if you ever receive a complaint.