Explaining GDPR Data Subject Access Requests
We explain the implications of Data Subject Access Requests (DSARs) for your business in the sections below. The data subject has more rights to their data than are described here, but, Articles 15-17 of GDPR are related to the processing of DSARs, which is the situation your business is most likely to encounter.
Data subjects are granted new rights over their personal data under GDPR
Before GDPR, companies could collect the personal data of consumers and users without much transparency or accountability to those individuals. On May 25, 2018, that all changed. GDPR granted new rights to data subjects (defined as the identifiable individuals about whom personal data is held) over how their personal data is processed by these companies, which are either based in the European Union (EU) or process the data of individuals who reside in the EU. Today, personal data is owned by the data subjects (with some exceptions, of course), as opposed to the companies which largely profit off this information.
One of the new rights granted to data subjects is the right to file a Data Subject Access Request (DSAR). A DSAR is a petition to a company by a data subject looking to confirm whether or not a company is holding personal data about the data subject petitioning, and if so, the data subject has the right to access that data, amend that data, or request for that his/her data be erased. These rights are described in detail above, as well as in the actual text of the Regulation. In short:
Right to Access (Article 15):
Means a data subject may request access to any or all of the personal data a company has processed that relates to themselves. Included in this is the right for an accounting of where the data originated (if not from the data subject), the purpose of the processing, whether the data will be transferred and under what grounds, as well as the right to complain to the supervisory authority about the nature of processing.
Right to Rectification (Article 16):
Means a data subject may request that the personal data a company has processed related to themselves be amended or updated (e.g., if the data subject has a change of address, they may request this be updated in the company’s records).
Right to be Forgotten (Article 17):
Means a data subject may request that a company erase any and all personal data related to themselves, and that request must be granted, in most cases. This may mean the data subject has revoked consent for processing or has objected to the processing (see Amendment 21) or the data was unlawfully collected. Amendment 17 must also be upheld if the government has requested that this data be erased or the data is no longer needed. There are some exceptions to the Right to be Forgotten, but if any of the circumstances above apply, the DSAR must be granted.
What does this mean for my business?
The advent of DSARs creates a greater administrative burden for the companies that process personal data, but there are a few best practices that may help alleviate this burden for data controllers and processors.
The very first thing an organization must do that is trying to comply with GDPR is nominate a Data Protection Officer (DPO). The DPO is responsible for overseeing an organization’s GDPR obligation and specifically fulfilling DSAR requests.
Once a DPO has been nominated, an organization ought to create a living data inventory of all the data that is collected and stored on behalf of the organization. It is explicitly stated in Article 30 of GDPR that an organization must keep records of all the personal data stored, and all data processing activities. This inventory is critical to fulfilling DSAR requests because it will provide an overview of all the personal data stored in organization databases, which will inform how the DSAR is executed.
After the data inventory has been created and maintained, a compliance officer at the organization must establish protocol for recognizing DSARs, verifying the identity of the requester, articulate a protocol for fulfilling a DSAR and delivering a fulfilled DSAR within the one-month deadline.
By aiming to become GDPR compliant and creating the infrastructure to fulfill DSARs means that an organization is committing to at least the following:
- Maintain an accurate data inventory
- Maintain an accurate data processing inventory
- Acknowledge, verify, and respond to DSAR’s within 30 days
If an organization doesn’t comply with any one of these, they may be in violation of GDPR requirements and subject to the higher of €20,000,000 or 4% of a company’s annual revenue.
If you have more questions about data subject access requests, talk to us today.