Understanding the GDPR’s right of access
The European Union’s General Data Protection Regulation covers a lot of ground, but the overriding theme involves giving more power and transparency to consumers. While a big part of that involves imposing new requirements on data collectors, the GDPR also gives individuals an unprecedented amount of control over their own personal information.
What is the right of access?
At the heart of that effort are two measures popularly known as the “right to be forgotten,” which we’ve covered in a separate post, and the “right of access.” Article 15 of the GDPR grants data subjects “the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.” Essentially, that means that consumers can obtain access to the personally identifiable material that’s been collected about them.
These requests entail more than just a list of context-free data points. Consumers are also granted significant leeway for seeing how their data is being processed, including:
- The purpose of the processing
- The categories of data being processed
- The recipients, including information if these are in third countries
- How long the data is expected to be stored
- Whether the data has been used in automatic decision-making for instance for profiling
How does it work?
You might assume that requesting access to your personal data would be more complicated than just sending an email to the owners of a particular website, but as a matter of fact, that’s exactly the case. The first step in accessing your data under the GDPR is sending a subject access request (SAR) to the data collector. An SAR can be an email, a letter, or even a fax, so long as it leaves a written record of the request. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
The data collector must respond to the request within one month, unless circumstances require an extension (i.e. a requester is asking for an unusually high volume of information).
Why is this needed?
At first glance, it might seem redundant to provide a specific right of access when the right to be forgotten is already in place. There are a number of situations, though, where obtaining data without having it deleted is preferable. For example, employees may want to find out how much their employers know about their personal lives. Former clients may be interested in what material a business has retained about them. A recent UK survey showed that more than 90% of consumers are interested in learning what data has been stored about them, for reasons ranging from simple curiosity to potential financial benefit to revenge on companies they dislike. How many of those interested parties will follow through on those intentions remains to be seen, but it’s clear that there is strong public appeal in the right of access.
What should data controllers do?
There has been some concern amongst data controllers that responding to the right of access will prove expensive and time-consuming. It’s a legitimate worry—processing these requests and providing copies to the data subjects certainly doesn’t come for free. There’s also the possibility of fraudulent requests, which could put both the data collector and the data subject at risk.
It’s important for data collectors to establish policies and procedures for handling requests of access, including verifying all requesters before releasing any data. If possible, it’s an excellent idea to set up a data request handbook instructions for all relevant employees, templates for response letters, links to internal resources where personal data may be stored, and any data request factors specific to your organization.
There’s no getting around the fact that the GDPR in general and the right of access in particular will present some challenges for data controllers, but as with most things, foresight and thoughtful planning can go a long way toward minimizing the impact.