If you collect and process personal data about somebody, they may have the right under the GDPR to ask you what data you have and how you use it. The GDPR sets down clear rules for how you must respond to this request, including how and when you provide information.
We'll show you what you need to do to comply with the requirements to be compliant with the law, and keep your customers happy.
The rules on data access requests are set out in the full text of the General Data Protection Regulation, which took effect on 25 May 2018.
It's important to realize the GDPR is not a European Union directive, which is a set of principles that countries must incorporate into domestic law. Instead it is a European Union regulation, which means it took immediate legal force in all European Union countries.
The GDPR is made up of articles (the clauses of the law) and recitals (a series of guidelines on how the law should be applied). Both of these affect how organizations should respond to data access requests.
The specific rules on handling data requests are underpinned by two of the key principles that the GDPR lays down for data handling, listed in Article 5.
Firstly, personal data must be "processed lawfully, fairly and in a transparent manner in relation to the data subject." Data access is part of this transparency.
Secondly, "every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay." Data access helps highlight inaccuracies so they can be corrected.
Pre-empting Privacy Access Requests
You can cut down on the need for many data requests by fully complying with the GDPR's rules on what information you provide to a data subject at the time you originally collect the data.
The required information, listed in Article 13 includes:
- What personal data you collect
- Your identity and contact details
- The contact details of your Data Protection Officer (if you have one)
- Why you are collecting the data. This must be one of a limited range of "legal bases" defined by GDPR.
- Whether you'll pass the data on to anyone else
- If you plan to transfer the data outside of the European Union and, if so, what steps you'll take to make sure it remains safeguarded
- How long you'll keep the data (or how you will decide when to delete it)
- The fact that the data subject has the right to access and correct the data
- How the data subject can withdraw consent for collecting data and what practical effects this will have
- The fact that the data subject has the right to complain to a "supervisory authority." This authority will depend on the country)
- Whether there's a legal or contractual reason the data subject must consent to data collection
- Whether you use the data for automated decision making
For the most part, data controllers must provide the same information both for people who've already provided personal data and for people who are considering doing so.
Responding to Data Access Requests
What Content to Include
You must provide information that's specific to the user.
Article 15 says the data subject can ask whether you process personal data about them (and get a copy of this data) and can obtain the following specific information:
- The purpose for which you process the data
- What types of data you process
- Who you've passed the data on to
- How long you'll keep the data (or how you will decide how long)
- Where you got the data from
- Whether you use automated decision-making
You'll also need to tell the data subject about their rights to ask you to correct, delete or stop processing data, along with their rights to complain to a supervisory authority.
Recital 63 clarifies that if the data subject asks for a large amount of information, it is acceptable to clarify what they want to see and to ask them to list specific information or the specific "processing activities" they are asking about.
Format of Response
In most cases, you should provide the information in writing, which can include electronic communications.
If the access request was made electronically, you should normally respond electronically unless the data subject says otherwise.
If the data subject asks you to provide the information orally (such as in person or on the phone) you can do so. However, you must already have proof in writing of the person's identity.
Writing Style of Response
When responding to a data access request, you should be concise and use "clear and plain language" so that your response is intelligible. This is particularly the case if you are addressing a child.
Timeframe to Respond
Normally you should respond to a data access request within one month. If the requests are particularly complicated or repetitive, you can extend this to three months. If you do so, you must inform the data subject within one month that you are using the longer timescale and say why.
Note that although these timeframes are deadlines, GDPR clearly says you should respond "without undue delay." This means you can't simply put off responding until the month or three months is nearly up for no legitimate reason.
Normally you cannot charge a data subject any fees for responding to a data access request.
You can only charge a fee if the requests are "manifestly unfounded or excessive," for example if they are repetitive. If you do charge a fee in such circumstances, it must be reasonable and reflect your actual administrative costs. The burden is on you to prove the requests are "manifestly unfounded or excessive."
Remote Access to Data
Recital 63 explains that where possible you should offer data subjects remote access to their data. This will reduce the need for data access requests.
If you do this, it's vital that the remote access be secure. You must also make sure this access doesn't breach any intellectual property rights or violate anyone else's privacy.
Tips For Compliance
You can take several steps to make it easier to comply with the GDPR's data access rules.
- Appoint a single member of staff to be ultimately responsible for GDPR data access compliance.
- Make sure that member of staff has the organization and access to accurately assess what data you collect, how long you keep it, why you keep, how you use it, and whether you share it.
- Establish a principle of only collecting data where strictly necessary for your operations.
- Establish a clear and accurate process to verify the identity of somebody making a data access request as well as assessing whether the request is valid. This process should be as quick and smooth as possible for the data subject without compromising accuracy.
- Set up a clear procedure for gathering together the required information to respond to a data access request quickly but accurately. This may involve technology and software.
Other GDPR Requests
Data subjects may make several other requests alongside or as well as a data access request. These include:
- Asking you to correct inaccuracies in the personal data or add their own note to complete any incomplete data
- Asking you to remove any personal data that is no longer needed for the reasons you originally gave for collecting it
- Asking you to stop processing data until you have settled a disagreement about the data's accuracy or the lawfulness of its processing
It's usually easiest to build your procedures for responding to these requests into your overall process for data protection requests.
Let's recap what you need to know to comply with the GDPR's data access rules.
- The GDPR sets out legal obligations that apply if you process or control personal data and either you, the data subject, or the processing is in a European Union country.
- Responding to data access requests is part of meeting key principles on transparency and data accuracy.
- Data subjects have the right to know several points about what data you collect and how you use it, as detailed in Article 15 of the GDPR.
- Data subjects have the right to ask for this information later on, for example to check that you have accurate data and are using it lawfully.
- You can provide information in writing (including electronically) or orally depending on the data subject's preference. If you provide it orally, you must verify the data subject's identity.
- You must provide data as quickly as possible. Usually this must be within a month, though in some cases the deadline is extended to three months.
- Normally you can't charge a fee unless the data request is excessive. Even then, the fee has to be reasonable and based on your actual costs.
- Data subjects may also ask you to correct or remove data, or stop processing it until you resolve a dispute over its accuracy or lawfulness.
- You can minimize the burden of data access compliance by having clear procedures for auditing what data you collect and how you respond to requests, including verifying identity and validity.