Under Article 15 of the EU General Data Protection Regulation, individuals have a right of access which allows them to request the personal information an organisation might hold about them. In addition, under Article 20 they also have a right of data portability, which means that they can request electronic information in a format that allows them to easily transfer this information to another organisation e.g. in a structured, commonly used and machine-readable format. These rights are part of a broader range of rights that individuals are provided under the EU GDPR and the UK Data Protection Act 2018.
Although this right of access was available under the old Data Protection Act (commonly known as subject access requests) there have been changes to this right, which means that in the majority of cases you can no longer charge for these requests (unless to provide further copies or where the request is manifestly unfounded of excessive); in most cases you will need to respond within one month (rather than the original 40 days) and these requests no longer have to be in writing. In addition, there have been some changes to the exemptions that apply around the release of certain types of information (although many are still the same).
For businesses and organisations, this change will require a new way of implementing or updating standard procedures around how these requests will be dealt with. It will be key to ensure that everyone within your organisation can recognise and respond to data access requests upon arrival to guarantee that they are dealt with effectively and to timescale.
Now that the GDPR legislation and UK Data Protection Act of 2018 have come into force, there are new requirements that businesses must follow. One such requirement is the employment of a DPO (Data Protection Officer) within organisations. Under the GDPR you must have a DPO if you fall into any of these categories:
Even if you don’t meet these criteria, it may still be helpful to have someone who takes a lead on ensuring your organisation meets compliance with data protection requirements so that you can be confident that personal information is being handled appropriately and that all staff understand their responsibilities in this area.