How to prepare your organization for the right of access?

What is the Right of Access?

General Data Protection Regulation (GDPR) entitles data subjects to various rights when it comes to the protection of their data. The eight primary rights provided to the individuals are:

1. The Right to Information
2. The Right of Access
3. The Right to Rectification
4. The Right to Erasure
5. The Right to Restriction of Processing
6. The Right to Data Portability
7. The Right to Object
8. The Right to Avoid Automated Decision-Making

These rights have been provided to make data subjects the core of data protection mechanisms. Organisations that collect and process information of individuals need to comply with regulations and ensure that the individual can easily exercise these rights. However, few of these rights, namely Right of Access, Erasure and Data Portability, come with complexities. 

This article aims to shed some light on one of these rights- the Right of Access, also known as Subject Access Right (SAR), provides individuals with the right to ask the processor for information concerning the data they have provided. This data subject right allows individuals to request a copy of their data, confirmation about their data being processed, and confirmation of the lawful reasons for the processing.

This right is restricted to access to their personal data and not the entire document containing said information. 

This right provides transparency to the processing activities and sets up the stage for further rights such as rectification or erasure. 

A copy of the information shall be provided free of charge. However, in the case of multiple documents, a small fee for administrative costs can be charged.

How can a data subject exercise this right?

Make a request verbally or in writing- DSARs

A data subject access request (DSAR) is the term for the request made by an individual to exercise their right of accessing their data collected by any organisation. 

A third person can make a DSAR on behalf of the subject. Information requested needs to be provided within one month of receiving the request. This is not an absolute right; organisations can reject such a request manifestly unfounded or excessive. For, e.g., if there is malicious intent behind the proposal.

How to manage DSARs?

DSARs are time-consuming. The industries at this point are gathering far more data than they used to. The exemptions provided for disclosing such information are subjective, making such requests a challenge. 

Organisations are not prepared to handle such requests. Further, the shift in external requests to internal DSARs, from the clients to now the employees making such requests, adds to the problems organisations face.

Further, the organisations lack an effective process to deal with DSARS, and even the employees lack the practical training to identify whether a request is a DSAR.

Responding to a DSAR

So, your organisation has received a request for data access; what is the next step?

• First, identify the DSAR and forward it to the personnel in charge, usually the Data Protection Officer (DPO)

• If the request is unfounded, the organisations can refuse or charge a fee for the access. However, the first request is required to be free of cost. 
• The next step is to ascertain whether the data subject’s identity can be verified. Here, the provider can ask for evidence of identification (For, e.g. asking the data subject to send a formal mail through their registered mail id) 
• Once the identity has been verified and accepted, it is now essential to determine whether complete information has been provided to complete the request; if not, the provider shall request further information required.
• If the request has been received electronically, the reply has to be in electronic form unless the subject requests otherwise. 
• Organisations should respond without delay and within one month of receipt of DSAR. However, if the DSAR is detailed and further clarification is required, the time limit can be paused and extended to two months.
• The provider shall ensure that the information is intelligible and easy to read for a layperson, and accessible. The information should be in simple language.
• It shall also be ensured that the response is provided securely.
• If the requested data includes a third person’s information, providers need to try not to disclose their data. If this is not possible, then compliance with the request is not mandatory and can be refused to protect the third person’s rights in case consent is not provided. 
• Data cannot be deleted after receipt of the request or amended to prevent disclosure. If the data has been updated after the request was made, the response shall be the latest information.

What can companies do to prepare?

General data protection regulation applies to all forms of records, whether hard-copy or soft-copy; hence it is essential to have a proper process to keep track of the data you have collected to ensure that no data gets lost in the way while processing an access request.

The organisation needs to ensure easy identification of a DSAR is possible through staff training. An individual needs to be in charge of the request; usually, the Data Protection Officer (DPO) takes on this role. All the staff must be adequately trained to identify a DSAR and forward it to the person in charge. 

The organisation needs to have the policy to record such requests, whether verbal or written. Further, it is impertinent to access a portal where individuals can exercise their rights with ease and avoid lengthy paperwork. Recital 63 of the GDPR provides a remote access self-service portal system to provide the requested information. The Privacy Policy for the organisation shall contain details on exercising their right and making the portal freely accessible.

Organisations need to consider carrying out data mapping exercises to be aware of the various places they hold their data at. The data needs to be stored in both soft and hard copy format. 

It is impairment to increase transparency in your information handling practices and ensure you have an information management system to keep track of all the data you collect correctly.

How Tsaaro helps you be compliant

Manually managing DSARs is a complex process accompanied by human errors, exposing your organisation to hefty fines. 

GDPR Applies to all processing done by organisations established or functioning in the EU irrespective of whether you are in the EU or not.

At Tsaaro, our professional privacy team ensures your organisation’s compliance with all the regulations with the most personalised solutions. It provides data protection by design in their practice to enhance investor trust in your organisation.