How to Handle Privacy Access Requests Under the GDPR
Article 15 of the General Data Protection Regulation (GDPR) grants Europeans the right to ask for a copy of the personal data. These 'data subject access requests' are your responsibility as a data controller. If you don't comply, you could face real scrutiny not only from regulatory bodies in Europe but even the press at home.
Why would European residents want to see a copy of their personal data? There are a few reasons, but mainly, people making this request will want to understand how you process their data, particularly if they're not sure you're acting lawfully.
Are you prepared to receive and process privacy access requests in compliance with the GDPR? The following guide will help you understand your role in promoting access to data and how to create a system that saves you time and prevents damage to your reputation.
- 1. How to Collect Data Subject Access Requests
- 2. How to Respond to Data Access Requests
- 2.1. Respond Within One Calendar Month
- 2.2. Respond in the Same Way the Subject Made the Request
- 2.3. When Can You Refuse a Request?
- 2.4. Can You Charge a Fee for Access?
- 2.5. Can You Ask for Identification?
- 4. Summary
How to Collect Data Subject Access Requests
Before diving into the appropriate response to privacy access requests, it's important to talk about how to collect them.
You can make this process as simple or as complicated as you like. The GDPR isn't prescriptive in this sense. Instead, your decision should depend on how much data you collect, the nature of your business, and how many data requests you expect to receive.
For example, collecting access requests can be as easy as setting up a dedicated email address to accept requests or using an existing email address, if you'd rather.
Alternatively, you may create a dedicated form to ease the processing and make identifying the subject and their data easier. Some companies may go as far as creating an interface on their website that takes care of the requests and forwards them to the correct person for processing.
For example, the Department of Employment Affairs and Social Protection (part of the government of the Republic of Ireland) created a "Make a Subject Access Request" page with a downloadable form, an email address and a mailing address:
An outline of what information individuals must provide to prove their identity is included, as well as a link to the full Data Protection Policy.
The Irish government's example is the short version. For a more complete and sophisticated version, it's helpful to look at Bank of Ireland's procedure.
Bank of Ireland is a helpful example because it both collects sensitive information from EU citizens, but it also uses automated decision making, which is likely to trigger more privacy access requests. As a result, it needs a very thorough system for handling requests.
The bank's mechanism is sophisticated. It starts by providing directions regarding the ways that data subjects can exercise their rights:
It then provides unique mechanisms for each individual right by providing a helpful menu:
If you click on "Access Your Data," Bank of Ireland redirects you to a new page with a form to fill out. Here's just an excerpt of it:
Creating a proprietary system for handling requests is beyond the scope of most businesses. Bank of Ireland is more likely to need one due to the nature of its business, the number of EU clients it serves (being located in the EU), and the categories and methods of data processing used. However, it is a very good example of how far you can go if you anticipate a high volume of requests.
How to Respond to Data Access Requests
When you receive a subject data access request, it's your legal duty to respond.
What many people might not know is that you aren't just supposed to provide a copy of the data itself. You also need to show how and why you process the data.
The key isn't just to say, "I have this data." Full transparency requires you to demonstrate the ways you use it, which provides infinitely more information to the data subject than just a copy of their name, email address, and whatever else you collect.
The GDPR says you need to provide eight types of information when you receive a request, including:
- The categories/type of personal data involved
- Your purpose for processing
- Who also received the data (including third countries)
- How long you intend to store the data
- When and how to ask you for the right to erasure, restriction of processing, objection to processing, and correction of data (right to rectification)
- Their right to lodge a complaint to the Data Protection Authority
- How you accessed data you didn't collect from the source
- Whether you use automated decision-making
As you can see, it's not as simple as simply sending them a file of their data.
Not only do you need to explain what happens with the data, but you need to have a process in place to provide that explanation in the first place.
Fortunately, it doesn't need to be as complicated as it looks and we'll show you how to streamline the process.
Respond Within One Calendar Month
The GDPR gives you one calendar month to respond to requests starting the date you receive the request, which gives you time to deal with a backlog if it arises.
The calendar month system works like this: if you receive a data access request on January 1, then you have until February 1 to fulfill it. Note that the clock starts ticking the day you receive the request, not the day you open it.
You can ask for more than a month when the request is very complex. However, you must first notify the data subject of the need for an extension within the initial month timeline.
Respond in the Same Way the Subject Made the Request
When you're ready to provide the data, it's ideal to do so via the way the data subject made the request.
In other words, if they send you the request electronically, respond using a format like a Word Doc or PDF unless they make a special request.
If they make a request via post, then send it in paper format in the mail to the address provided.
When Can You Refuse a Request?
Although the right of access is a fundamental right, it isn't absolute. Generally, you can't flat-out refuse a data subject access request. There are only a few exceptions for data controllers.
If you want to refuse a request, you must be able to prove that the request is unfounded or excessive. For example, if the data subject demands that you provide data you never collected, then you can refuse.
A refusal needs to come in writing. You need to provide a reason and explain their further rights, which include:
- The option to complain to the relevant Data Protection Authority
- The right to take legal action
However, you should avoid refusing requests that could end up in a lawsuit. If you do, you need to have a legal strategy.
Additionally, you can tip-toe around refusing a request if you are trying to protect the rights of other data subjects. Instead of saying "no," you should instead respond saying that fulfilling the request is not possible due to the need to comply with the protection of the rights and freedoms of others.
Can You Charge a Fee for Access?
Typically, no. You need to provide a copy of their data without asking for payment. There can't be a handling or administrative charge attached as long as the data subject makes a reasonable request for a single copy of their data.
However, in the event that the request is 'manifestly unfounded or excessive,' then you can charge a 'reasonable fee' to cover administrative costs.
It's still not as simple as saying you need a fee to cover the costs. You (the controller) must justify the fee by explaining why the request was excessive. Your fee must also reflect administrative costs and should not look like an attempt to dissuade individuals from exercising their EU rights.
Can You Ask for Identification?
Yes, you can request information to verify the identity of the data subject if you suspect that the person making the request isn't the owner of the data.
However, you can't use the ID request as a form of gatekeeping that prevents subjects from accessing the data. You also shouldn't use it for basic data: public bodies and financial institutions are more likely to request a government ID.
Another way to request users identify themselves may include asking a data subject to log into their account to confirm their identity.
Remember to practice basic data minimization (not collecting more data than you have a legal use for), and if you do have a valid basis for collecting ID data, then be sure to protect it as you would the rest of the subject's personal data.
You should also outline how long you keep the data and when you erase it.
You should also provide details such as:
- Your contact information
- Your Data Protection Officer's contact details (if applicable)
- How to withdraw consent
- How to exercise their GDPR rights (including the right to access)
By providing this information and updating it regularly, you limit the number of requests you'll likely receive because you already answered the questions that most people have about their data.
Handling data access requests is a requirement if you fall under the jurisdiction of the GDPR. There's no way around it, but you can make it simple and painless by creating the appropriate mechanisms.
To summarize, here are the key points you need to remember:
- You are obligated to honor privacy access requests except in limited circumstances
- You have one calendar month to complete the request
- You may not charge a fee for the request unless you have a valid reason
- You must make it easy for data subjects to find and exercise their EU rights on your website
- You must inform the data subject of their right to complain if you choose to deny a data access request
- When responding, include all the required information and be transparent