How to deal with data subject requests under GDPR
Rights requests made in relation to the General Data Protection Regulation are in the news – with increasing numbers of complaints to the regulator following the implementation of the Regulation on 25th May this year, it’s clear the general public are aware of, and are prepared to exercise, their rights.
With evidence that the public are engaging with the new rules, it could be the case that some small- and medium-sized firms are under increased pressure to process requests from data subjects. With the new rules come new turnaround times, strict rules around fees, and additional requirements – in some cases, firms will, along with the information requested, also need to provide supplementary information, which usually corresponds to the information you would provide in a privacy notice. This week’s article considers how firms can ensure they are dealing with requests efficiently and in compliance with the new rules.
Most of the new individual rights come with the requirement that a firm respond to a data subject’s request within a certain timescale. The Information Commissioner’s Office has published guidance on timescales within their suite of information on individual rights, see our article for further information on timescales. In short, the ICO’s rules require some knowledge and calculation to find the correct respond-by date. Firms that do not have capacity to set up an automatic calculation system or complete a manual calculation for each request can rely on the 28-day rule, which will ensure compliance.
This marks a significant change from the previous rules. Under the Data Protection Act 1998 firms had 40 days to respond to Subject Access Requests, and were able to charge a small fee, which helped to alleviate some of the administrative costs – particularly for small firms – and helped to minimise repeated or vexatious requests. In addition to requesting copies of their data, individuals can now:
request their data be rectified
request their data be erased
request that the processing of their data is restricted
request that their data be provided to them in an easily transferable format
have the right to object to the processing of their data in certain circumstances (e.g. for direct marketing)
For small and medium firms, any increase in the number of requests from individuals can have a significant impact on operational workload. All businesses should be clear on the rules, and the ICO’s guidance provides some useful information for firms wanting to be sure that their procedures are as efficient as possible:
Where requests are ‘manifestly unfounded or excessive’ firms may charge a ‘reasonable fee’ for the administrative costs of complying with the request. Neither of these terms are defined, so if a firm intends to charge a fee on the basis of either, they should clearly document their justification for the definition. The Data Protection Act 2018 provides an example of a request that may be excessive as ‘one that merely repeats the substance of previous requests’. Given that the ‘reasonable fee’ amount is linked to the administrative costs of complying with the request, it would be rational to consider man-hours and any stationery costs, but anything significantly beyond the previous maximum fee of £10 should be clearly justified and supported with evidence and clear calculations. Where firms choose to charge a feed for unfounded or excessive requests, they do not need to comply with the request until they have received the fee.
Where an individual requests further copies of data, you can also charge a fee based on the administrative costs of providing further copies.
It is possible to extend the time for response by a further two months ‘if the request is complex or you have received a number of requests from the individual.’ You must ensure that you let the individual know this within one month (or 28 days) of receiving their request, and provide an explanation of why the extension is necessary. The ICO provide further information on their view that it is unlikely to be reasonable to extend the time limit if the request is manifestly unfounded or excessive, an exemption applies, or you are requesting proof of identity before considering the request. Firms should take care to abide by the ICO’s guidance when calculating the date of the extension.
Somewhat confusingly, the ICO also offer guidance that firms may require additional information to confirm the requester’s identity before responding to their request – and that ‘the period for responding to the request begins when you receive the additional information’, despite their advice that ‘it is unlikely to be reasonable to extend the time limit if (…) you are requesting proof of identity before considering the request’. Despite the apparent contradiction, it’s likely that the intention of the ICO is to be clear that a full two-month extension in relation to a request for identity proof would be considered unreasonable. Proportionality is key, and firms should ensure they are clear with requesters and chase up any required documentation promptly.
Finally, firms can refuse to comply with manifestly unfounded or excessive requests. Any such decision should be based on compelling reasons which should be thoroughly documented and given to the individual without undue delay, and certainly within one month of the request. The individual should also be informed of their right to complain, and their right to judicial remedy. Firms should be aware that where a request appears to be, or is, valid, reliance on the unfounded/excessive exemption is not likely to be viewed as lawful by the supervisory authority.
Where there is a request for a large amount of data, firms should seek to clarify with the requester what information they are seeking in the first instance. Until further guidance is issued on the definition of ‘unfounded’, firms that believe the request they have received is unfounded should be wary, and document and justify their reasons for the definition and for the refusal of the request extremely carefully.