Data Subject Rights

UK General Data Protection Regulation (GDPR) expands the rights of individuals (referred to as ‘data subjects’) over the use of their data.  Data subjects have the right to:

• Be informed
• Have access to information without charge and within a particular timeframe
• Object to processing likely to cause or is causing damage or distress
• Prevent processing for direct marketing
• Object to decisions being taken by automated means including profiling
• Have inaccurate data rectified
• Restrict processing
• Have data deleted in certain situations (commonly referred to as ‘the right to be forgotten’).
• Have data portability, where they can request and reuse data held and instruct its transfer from one Data Controller to another

Responding to the more uncommon data subject rights, such as the right to be forgotten, can also be time-consuming. We can support the handling of these enquiries and potentially significantly reduce the administrative burden on your organisation. In addition, we can handle the redaction of documents in responses if needed.

There are certain steps that your organisation can take to enable you to handle rights requests effectively and efficiently and these should be embodied within the organisation’s compliance measures.

On a practical level, it is important to nominate someone internally to be responsible for responding to data subject rights requests and train your front line staff to be aware of data subject rights and to recognise requests when they come in from individuals. Staff ought to know how to escalate requests to the correct individual/department.

Likewise, it is important to make your IT department aware of rights, in particular, subject access rights, as they will likely be responsible for searching the servers and gathering the data.

We can advise you on practical, effective data protection management and support you to implement procedures to ensure your organisation is best set up to meet its obligations over data subject requests.

Data subject rights requests generally should be complied with within one month. The clock starts ticking on the day the request is received. If the equivalent date one month later is a Saturday or Sunday, you can respond on the following Monday.

If the request is complex, for example it involves large volumes of data, you can request an extension of two months.

Sanctions for non-compliance can be up to 4% of annual turnover or £17.5m, whichever is higher. The regulator, the Information Commissioner’s Office (ICO), will take various factors into consideration when deciding the appropriate fine, such as whether the infringement was intentional or negligent, the nature, gravity and duration of the infringement and the action taken by the controller to mitigate the damage.