As the person responsible for GDPR compliance in a small or medium-sized enterprise (SME), you often juggle numerous tasks with limited time. One key responsibility is responding to data access requests, where individuals ask for a copy of their personal data. According to GDPR, you must respond to these requests within one month.
In the rush to comply promptly and avoid potential complaints, have you considered that you might inadvertently be violating GDPR?
What if someone else makes a request on behalf of the subject
A UK student conducted an experiment by posing as a “fiancée” and submitted access requests to 150 companies. The results were eye-opening:
• 83 companies confirmed they held personal data about the “fiancée”
• 24% provided personal data without verifying the identity
• 16% asked for minimal proof of identity, which could easily be faked
• 39% demanded solid proof of identity before proceeding.
This experiment highlights a critical lesson: while it’s essential to respond promptly, verifying the authenticity of a request is just as important to protect personal data and stay compliant.
7 simple steps to handle GDPR access requests
As a GDPR officer in a small or medium-sized enterprise (SME), managing data access requests efficiently is crucial given your numerous responsibilities and limited time. Here’s a streamlined approach to handle these requests while ensuring compliance:
Step 1: Identify the Access Request
GDPR doesn’t require a specific format for access requests – they might not even use terms like “access request” or “exercise the right of access”.
Best Practices:
• Establish a clear procedure for handling access requests.
• Designate specific personnel to manage these requests.
• Develop a standard form (including an electronic version) for submitting requests in an organized manner.
• Set up a dedicated email address (e.g., dpo@domain.com ) for receiving all requests to maintain clear records.
Having a response procedure is vital, as it involves identifying personal data within the organization, which can be a laborious process. Failing to respond within the one-month deadline can lead to sanctions.
Step 2: Verify the Requester’s Identity
One of the most overlooked steps is verifying the identity of the requester. In a rush to respond promptly, companies might assume they are dealing with the data subject without asking for proof of identity. This can lead to security breaches if someone falsely claims to be someone else.
Always ask for proof of identity before processing the request to ensure the security of personal data.
Step 3: Respond Promptly and Clarify the Request
You have one month to respond to an access request. In complex cases involving multiple parties or large volumes of data, you can extend this period by an additional two months, but you must inform the data subject as soon as possible.
If the request is unclear, contact the requester to clarify the specific data needed for a quicker resolution.
Step 4: Identify the Data to Be Provided
According to Article 15 of GDPR, you need to provide the following information to the data subject:
• Purpose of Processing: Why is the data being processed?
• Categories of Data: What type of personal data is involved?
• Recipients: Who has received or will receive the data, especially if they’re in third countries or international organizations?
• Retention Period: How long will the data be stored, or what criteria determine this?
• Data Subject Rights: Information on rectification, erasure, or restriction of data processing.
• Complaint Rights: How to lodge a complaint with the supervisory authority.
• Data Source: If data wasn’t collected directly from the individual, provide the source (where from?).
• Automated Decision-Making: Including profiling, and meaningful information about the logic involved, as well as the significance and potential consequences for the individual.
Identify this information within your organization—for example, HR, IT, CCTV monitoring, or accounting. This step can be intricate and time-consuming.
Step 5: Check for Exceptions
While GDPR emphasizes transparency, there are specific situations where you might not need to respond to a request:
• The data is protected by law and cannot be disclosed;
• Disclosure would infringe on the rights and freedoms of others;
• The data is subject to professional legal privilege or confidentiality agreements (e.g., NDA);
• The data involves other individuals (mixed data);
• The request is excessive or manifestly unfounded, in which case you need to justify this assessment;
• You have been unable to verify the identity of the data subject.
If a request is deemed unfounded or excessive (e.g., repeated requests for the same data or requests involving a large amount of work that disrupts operations), you can charge a fee. Otherwise, responses must be free of charge under GDPR.
Step 6: Transmit Data Securely
Security is a cornerstone of GDPR, which applies to both incoming and outgoing data. Ensure secure transmission to prevent unauthorized access, interception, or alteration. Implement encryption, secure file-sharing platforms, or password-protected methods for added protection.
Step 7: Keep Detailed Records of Requests and Their Processing
As you can see, responding to an access request is not as straightforward as it might seem and involves numerous interconnected steps and personnel. It is important to maintain a clear record of the entire process, including each stage, to demonstrate compliance with the authorities if the data subject files a complaint with the national authorities or requests more details about how their request was handled.
By following these steps, you can effectively manage access requests while ensuring compliance with GDPR, thereby protecting personal data and maintaining the trust of your stakeholders.