Under data protection law, an individual has rights over the use of their personal data. As a ‘data subject’, they can request information from organisations on how their data is collected, used and stored, and organisations have to respond on certain data requests.
Dealing with data subject requests, such as Subject Access Requests (SARs) or more uncommon ones such as the right to be forgotten, can be time-intensive and inconvenient for organisations. Thorntons’ specialist Data Protection team can support you in handling these enquiries and help reduce the administrative burden on your organisation.
UK General Data Protection Regulation (GDPR) expands the rights of individuals (referred to as ‘data subjects’) over the use of their data. Data subjects have the right to:
- Be informed
- Have access to information without charge and within a particular timeframe
- Object to processing likely to cause or is causing damage or distress
- Prevent processing for direct marketing
- Object to decisions being taken by automated means including profiling
- Have inaccurate data rectified
- Restrict processing
- Have data deleted in certain situations (commonly referred to as ‘the right to be forgotten’).
- Have data portability, where they can request and reuse data held and instruct its transfer from one Data Controller to another
Responding to the more uncommon data subject rights, such as the right to be forgotten, can also be time-consuming. We can support the handling of these enquiries and potentially significantly reduce the administrative burden on your organisation. In addition, we can handle the redaction of documents in responses if needed.
There are certain steps that your organisation can take to enable you to handle rights requests effectively and efficiently and these should be embodied within the organisation’s compliance measures.
On a practical level, it is important to nominate someone internally to be responsible for responding to data subject rights requests and train your front line staff to be aware of data subject rights and to recognise requests when they come in from individuals. Staff ought to know how to escalate requests to the correct individual/department.
Likewise, it is important to make your IT department aware of rights, in particular, subject access rights, as they will likely be responsible for searching the servers and gathering the data.
We can advise you on practical, effective data protection management and support you to implement procedures to ensure your organisation is best set up to meet its obligations over data subject requests.
Data subject rights requests generally should be complied with within one month. The clock starts ticking on the day the request is received. If the equivalent date one month later is a Saturday or Sunday, you can respond on the following Monday.
If the request is complex, for example it involves large volumes of data, you can request an extension of two months.
Sanctions for non-compliance can be up to 4% of annual turnover or £17.5m, whichever is higher. The regulator, the Information Commissioner’s Office (ICO), will take various factors into consideration when deciding the appropriate fine, such as whether the infringement was intentional or negligent, the nature, gravity and duration of the infringement and the action taken by the controller to mitigate the damage.
Our Data Protection team can provide expert and pragmatic advice and support your organisation to ensure it responds to data subject rights requests in line with data protection legislation. We can advise on management of the data subject rights requests and assist with the practical matters of drafting responses to data subjects and where appropriate, redacting documentation to be provided in response to a data subject access request.
Please call our specialist Data Protection team on 03330 430350 for practical advice and support on how Thorntons can assist you with data subject rights. Or complete our online enquiry form and an expert in our Data Protection team will call you back.