The GDPR bestows a range of important rights upon individual data subjects.
At the core of the GDPR itself is the principle that personal data be
processed ‘lawfully, fairly, and in a transparent manner’. This and the
other principles set out in Article 5 of the GDPR support and are supported
by the data subject rights, which are as follows:
The right to be informed;
The right of access;
The right to rectification;
The right to erasure;
The right to restrict processing;
The right to data portability;
The right to object; and
· Rights relating to automated decision-making (including profiling).
As the one-year anniversary of the GDPR approaches, it is important to
ensure that you are familiar with these rights and that all data subjects
whose data your business collects, holds, and processes have
easily-accessible information about their rights and how to exercise them.
Similarly important is having in place the right internal policies and
procedures to support the exercise of data subjects’ rights. Of these, one
of the most important is the right of access.
Our new data protection offerings this month focus on these two key points.
The first is a new customer-facing policy document - a Data Subject Rights
Policy; the second, an internal policy and procedure for handling subject
access requests - a Data Subject Access Request Policy & Procedure.
New GDPR Data Subject Rights Policy
As summarised above, data subjects have a range of important rights under
the GDPR. The first right, the right to be informed, in fact requires you
to tell data subjects about their other rights too. This will normally be
you prefer – go with it – these names are interchangeable but many of you
have been asking us what the difference is), however, it may be desirable
to provide more detailed information on each right, as well as guidance on
how to exercise them.
This is precisely what our new policy template does. Each of the rights
listed above is described in user-friendly terms along with helpful
information about the time limits within which you must act (normally a
month, but extendable by a further two months in limited circumstances),
fees payable (normally none, but again, in limited circumstances, you may
be able to recoup your costs of complying), and exceptions or limitations
to the rights.
Information is also provided about how to exercise each right. Normally
this will be simply telling the data subject to contact you, but in some
cases you may offer an online account management facility or similar which
enables some of the important rights to be exercised directly by the data
subject (downloading a complete copy of their personal data, for example,
or deleting their profile, thereby erasing all of the personal data you
hold about them – just make sure these features do work as advertised if
you are offering them as ways to exercise these key rights).
A Privacy Notice or Policy is a vital step to take in providing the
required information to data subjects. Our new Data Subject Rights Policy
is a valuable companion to such a document. The GDPR noise may have
quietened down, but that doesn’t mean you should rest on your laurels. The
more helpful information you can provide to individuals, the better!
New Data Subject Access Request Policy and Procedure
One of the most important rights under the GDPR is the right of access.
This is normally exercised by means of a ‘subject access request’.
Individuals exercising this right have the right to find out about the
personal data you hold about them, what you are using it for, and why. The
right of access also entitles individuals to a copy of that data.
If you have previously downloaded one of our Data Protection Policy
templates, you will already have seen the section on subject access
requests (or “SARs”), providing the essential outline information. This new
policy and procedure template is designed to supplement our Data Protection
Policies in a big way.
This document takes you through the process of handling a SAR, all the way
from receipt, through locating information, complying with time limits,
determining whether or not you can charge anything (not usually, but in
exceptional cases), whether or not you can refuse, and finally to the
information that should be provided in your response.
Some sections of the template are addressed to all staff within your
business; after all, SARs come in many forms and could be addressed (orally
or in writing) to any of your staff, so it is important that everyone
within your business knows how to spot a SAR and what to do with one if it
comes to them. The remaining sections are geared towards those staff who
are authorised to handle SARs and set out important guidance.
Compliance with SARs is of vital importance for any business that handles
personal data and, particularly for those with multiple file systems and
departments, tracking down that data quickly should not be left to chance.
By having a clear procedure to follow, efficiency and accountability can be
maximised, meaning that SARs can be handled with the minimum of fuss. So,
don’t delay - download our new template today!
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific