GDPR Subject Access Request Procedures

At the end of May, the General Data Protection Regulation becomes law across all European Union Member States. This legislation aims to provide greater protection of the data of all EU citizens wherever they reside.

One of the main components of GDPR legislation is Data Subject Access Request (DSAR). This means that all EU citizens who have data collected by any business or enterprise can check to ensure that their data is being processed legally. This is just one of the rights of data subjects that GDPR has strengthened. Harsh penalties for non-compliance are intended to emphasize the severity of failure to provide DSAR.

The right of data subjects to have access to their personal data is an important data protection law principle. It goes a step farther than controllers having to supply data subjects with copies of their personal data if they request it. The existing rights of data subjects are strengthened under DSAR guidelines.

As of May 25, it will be easier for any EU citizen to make a request. Furthermore, all companies that hire or do business with EU citizens must recognize a DSAR and comply with it.

Due to this, businesses must be prepared to receive and respond to DSAR. They must have a data controller whose job it is to receive and process DSAR. They must notify the data subject whether his data has been processed. According to GDPR guidelines, processing means an operation, or group of operations, performed on personal data individually or as a set. This processing may be automated as in: collecting, organizing, recording, grouping, analyzing, altering, adapting, storing, retrieving, transmitting, archiving and/or erasing data.

Data subjects must also be told what was collected and the purpose for its collection. Informing data subjects is the job of the company Data Controller.

There are other things a data subject who requests DSAR must be advised of including:

  • Categories into which the data is inputted
  • Reasons for processing
  • How long the data will be retained
  • Any other party which will have access to this personal data
  • Data rights information. For example: data subjects must be told that they have the right to add, correct, amend data that is incorrect or incomplete.
  • Data subjects must also be told if their data is subject to automated processing (i.e., profiling).

What Changes with the Introduction of GDPR?

Businesses will continue to request personal data from employees and clients. However, DSAR procedures within the company must be updated to reflect GDPR changes. Employers will have up to a month to respond to a DSAR. They may not charge for time and labour required unless it can be shown by the Data Controller that the request is repetitive, unfounded or unrealistic.

Companies will have to make decisions about what they collect, how it is processed, what they are using this data for and whether it will be retained.

There is a new emphasis on subject rights to examine their data, have it moved to another company, request revisions, corrections, additions or even erasure of data. Moreover, data subjects must receive clear easy-to-understand information about each of these rights including DSAR.

Company Preparation for Data Subject Access Requests

In order to comply with DSAR and other employee/client rights, companies need to update their policies.

Staff must receive GDPR training so that they know data subject rights and how to respond to such things as DSAR.

Businesses need to have in place a procedure for receiving and responding to data subject requests. They need to have appointed someone in the company who will act as Data Controller who will handle such requests as DSAR.