If a job’s worth doing…
How knowing your GDPR rights and responsibilities keeps everyone onside
Everyone loves a good truism
And since we got our 2018 Proverb-A-Day desk calendar here at Databasix, apart from it bringing out our inner muses, we can’t help but notice how many of them seem relevant to GDPR.
Take good old data, for instance. It’s said that a little knowledge is a dangerous thing. So, what does that imply about risk levels when a whole load of information is involved? Like someone’s entire personal history?
Facebook. Data. Privacy Policies. It’s still all over the news.
And, as the FB data scandal rumbles on, we’re pretty sure that most people are increasingly wondering about their data protection rights and what data companies actually hold on them.
By the same token, the companies that process customers’ data are now probably reflecting more closely on the type of data they hold and how they use it.
So, whether you’re a private individual wanting to find out what information is held on you, or an organisation handling personal data keen to know how to respond to such approaches, we’ve 3 words for you: Subject Access Requests.
Subject Access Requests (SARs): Two sides of the same coin.
These are written requests enabling individuals to find out what personal data companies hold on them, their rationale for having it, and who else they share that information with.
Fundamental to good information-handling practice, they offer two sides of the same coin with different emphases depending on whether you’re the individual or the processor.
Here’s what you need to know…
For individuals: Give and take is only fair if it’s a 2-way street!
Even though some companies now allow you to download a history of everything that they hold on you, at a time when there’s been a lot more taking than giving going on, it’s highly likely there’s going to be a big increase in the number of Subject Access Requests being made.
Individuals have always been able to make these requests and, whilst they never had to be submitted in any particular form (a straightforward “Please can you let me know what personal data you hold on me” sufficed), you had to pay a £10.00 fee each time you made a request.
However, from 25th May 2018, it’s worth knowing that Subject Access Requests will be free!
So, while you’re at it, you may also want to ask what other measures are being taken to keep your data safe. (For more guidance on this, check out another of our blogs here.)
Though do remember too that, if you are planning to submit requests, you’re seen to be doing this in a reasonable manner – asking the same organisation for repeated updates on what new information they have on you just isn’t cricket…
For processors: Do unto others as you would have them do unto you!
If you process personal data, then, hopefully, you’ll know already that your approach needs to be company-wide so that everyone buys into and understands the importance of GDPR.
Similarly, you’ll also know that it’s everyone’s responsibility to get GDPR right and know their professional responsibilities and duty of care; that’s why your approach to handling and responding to SARs shouldn’t be any different.
Unfortunately, either because organisations are unsure of what to do or because resources to deal with SARs are limited, there can be a tendency to ignore requests. Please don’t do this!!
Remember, your personal data will be held by other companies (and you may decide you want to submit your own SARs) so treat others as you’d want to be treated yourself!
The clock’s ticking…
For the very simple reason that, as soon as you receive a Subject Access Request, you have a limited timeframe in which to respond. In fact, you have 30 days to acknowledge the request and get back to the individual with details of the personal data you hold on them.
And when you consider that the demand for these types of request are likely to increase, you need to be more prepared than ever by having a coordinated approach to deal with them.
Think about who needs to be involved, how they’re going to efficiently access the data requested, and whose role it is to follow-up and respond to the request.
Remember too that if you’re sharing emails that contain others’ information, these details will need to be redacted. This in itself may well be time-consuming so please ensure that you allow plenty of time to check for and action this.
And here’s an added tip: keep a SAR Log so that you can keep a record of individuals making requests – just in case the same name pops up too frequently. No one likes a timewaster so, in this instance, you’d be well within your rights to politely decline repeated requests.
Until recently, the phrase the devil’s in the detail was tailor-made for privacy policies characterised by reams of complex, small print. Thanks to GDPR, this should no longer be the case and, done properly, could reduce the need for people to make SARs.
So, if your policy gives your clients everything they need to know, you’re already well on your way to putting them at ease. Otherwise, there’s a danger of what goes around comes around…
Need more help? There’s no time like the present!
We hope this has been useful. If you’re unsure though about any of the above or need more information regarding either your data protection rights as an individual or your responsibilities as a processor, then please get in touch. We’re always happy to help!
In the meantime, we’ll continue to struggle getting our heads around two of this week’s calendar entries: apparently, the early bird catches the worm yet it’s the second mouse that gets the cheese.
How does that work then?