Right of Access

Context:

A fundamental, under-pining concept for the GDPR (outlined in Article 15) is that personal data is the property of the individual. This ownership is enshrined in the right of access which gives the individual the ability to see how, where and why data about them is processed.

Considerations:

The right of access is closely related to other rights. In this sense they all need to be considered as inter-related. These other rights include: rectification, erasure (to be forgotten), restriction, objection, not to be subject to automated decisions, be kept informed and obtain a copy of their data (portability). To fully comply with the right of access all of these other rights need to be met.

How to:

Ensure you have processes in place to response to requests for information. Be aware that you need to have processes that can respond to requests from multiple sources – whist you may have a Subject Access Request form/process you cannot insist on requests coming via this or any other route.

If requested provide the following information, and if requested electronically,  in a standard, machine readable format (see Data Portability):

  • whether of not personal data about the individual is being processed
  • the purpose of processing
  • any recipients of the data including 3rd parties or overseas
  • how long the data will be stored for
  • the source of the information
  • whether the data is used to make automatic decisions and, if so, the logic used to make those decisions
  • which safeguards are in place to protect the data where it is transferred to another country

Common Scenarios:

An individual asks to see what information you hold on them

  • Respond in a timely manner. Provide a copy of all the personal information held on the individual. Ensure that you check across all of your systems (HR, CRM, webshop, Finance etc). Ensure you respond in the correct format, electronic and machine readable if the individual made the request in an electronic format.

An individual asks what is done with data about them

  • Explain the purposes of processing, how long you keep the data for, where you got the information and the details of anyone you have transferred the data to. If you are making automatic decisions then provide the logic you use to make these decisions. Again ensure that you provide this in the correct format.

You may opt to provide a standard, comprehensive response covering all the required points and this may be an approach that saves specific, customised responses to each request.

References:

  • GDPR Recitals: 39, 59, 61, 141
  • GDPR Articles 13, 14, 15, 21

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts