Subject Access Request Policy + Data Subject Rights Policy

April 2019

The GDPR bestows a range of important rights upon individual data subjects. At the core of the GDPR itself is the principle that personal data be processed ‘lawfully, fairly, and in a transparent manner’. This and the other principles set out in Article 5 of the GDPR support and are supported by the data subject rights, which are as follows:

  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to erasure;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object; and

· Rights relating to automated decision-making (including profiling).

As the one-year anniversary of the GDPR approaches, it is important to ensure that you are familiar with these rights and that all data subjects whose data your business collects, holds, and processes have easily-accessible information about their rights and how to exercise them.

Similarly important is having in place the right internal policies and procedures to support the exercise of data subjects’ rights. Of these, one of the most important is the right of access.

Our new data protection offerings this month focus on these two key points. The first is a new customer-facing policy document - a Data Subject Rights Policy; the second, an internal policy and procedure for handling subject access requests - a Data Subject Access Request Policy & Procedure.

New GDPR Data Subject Rights Policy

As summarised above, data subjects have a range of important rights under the GDPR. The first right, the right to be informed, in fact requires you to tell data subjects about their other rights too. This will normally be done in summary within a privacy notice or privacy policy (whichever name you prefer – go with it – these names are interchangeable but many of you have been asking us what the difference is), however, it may be desirable to provide more detailed information on each right, as well as guidance on how to exercise them.

This is precisely what our new policy template does. Each of the rights listed above is described in user-friendly terms along with helpful information about the time limits within which you must act (normally a month, but extendable by a further two months in limited circumstances), fees payable (normally none, but again, in limited circumstances, you may be able to recoup your costs of complying), and exceptions or limitations to the rights.

Information is also provided about how to exercise each right. Normally this will be simply telling the data subject to contact you, but in some cases you may offer an online account management facility or similar which enables some of the important rights to be exercised directly by the data subject (downloading a complete copy of their personal data, for example, or deleting their profile, thereby erasing all of the personal data you hold about them – just make sure these features do work as advertised if you are offering them as ways to exercise these key rights).

A Privacy Notice or Policy is a vital step to take in providing the required information to data subjects. Our new Data Subject Rights Policy is a valuable companion to such a document. The GDPR noise may have quietened down, but that doesn’t mean you should rest on your laurels. The more helpful information you can provide to individuals, the better!

New Data Subject Access Request Policy and Procedure

One of the most important rights under the GDPR is the right of access. This is normally exercised by means of a ‘subject access request’. Individuals exercising this right have the right to find out about the personal data you hold about them, what you are using it for, and why. The right of access also entitles individuals to a copy of that data.

If you have previously downloaded one of our Data Protection Policy templates, you will already have seen the section on subject access requests (or “SARs”), providing the essential outline information. This new policy and procedure template is designed to supplement our Data Protection Policies in a big way.

This document takes you through the process of handling a SAR, all the way from receipt, through locating information, complying with time limits, determining whether or not you can charge anything (not usually, but in exceptional cases), whether or not you can refuse, and finally to the information that should be provided in your response.

Some sections of the template are addressed to all staff within your business; after all, SARs come in many forms and could be addressed (orally or in writing) to any of your staff, so it is important that everyone within your business knows how to spot a SAR and what to do with one if it comes to them. The remaining sections are geared towards those staff who are authorised to handle SARs and set out important guidance.

Compliance with SARs is of vital importance for any business that handles personal data and, particularly for those with multiple file systems and departments, tracking down that data quickly should not be left to chance. By having a clear procedure to follow, efficiency and accountability can be maximised, meaning that SARs can be handled with the minimum of fuss. So, don’t delay - download our new template today!

The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.

Top