GDPR Subject Access Explained
The GDPR subject access provides individuals with the right to request and obtain a copy of their personal information in order to assist in helping them to understand how and the reasons for an organisation using their data and to check that they are using it legally.
The introduction of GDPR means that an individual has the right to request that a company is using their data, be provided with the data being used as well as other supplementary information. In addition, the following further information should be provided:
- The purpose of holding the information;
- Who the personal data is disclosed to;
- The period of retention of the data;
- The right to request rectification, erasure or objection to the processing of their personal data;
- Th right to lodge a complaint with a supervising authority;
- The source of the information.
The GDPR request must be clear that the individual is requesting their own personal data, however, that request can be in the form of writing or verbally and can be made through any part of the organisation to any employee, including via social media, meaning that it is important to ensure that any customer facing staff, who may encounter such requests more frequently, are sufficiently trained to be able to identify them and to log them correctly..
The individual can only request information relating to them under the GDPR request, or legally able to make the request on behalf of the relevant individual, normally they have no legal ability to request details of the information held in relation to other parties.
It may be that a GDPR request can be made to the individual to provide confirmation of their ID to ensure that the request is valid.
If the information to be provided under the GDPR request includes data relating to another individual then, under the Data Protection Act, that information does not need to be provided nor does the data need to be provided if the request can be shown to be greatly excessive.
GDPR Subject Access Request Forms
Section 59 of the GDPR suggests that organisations design a subject access request form that individuals can use and can be submitted electronically, however, as above, individuals can make the request through any means and so it should be made clear that the form is not compulsory.
The Data Provided as Part of a GDPR Request
When a GDPR request is made it is best practise that the individual can be given access to a secure portal that provided them with direct access to their information.
The data provided from the GDPR request should normally be that held at the time of the request, however, if the data is in frequent use then it may be altered or deleted before the request can be responded to. Therefore, it is often the case that the response provided relates to the data held at the point that the response is sent.
However, under the Data Protection Act 2018 it is an offence to amend the data with the intention of preventing the disclosure of it and, so any amendment should not be intentional to avoid disclosure.
GDPR requires that any information provided is concise, intelligible and uses clear language, effectively meaning that it should be understandable to the average person.
Normally to provide the information under a GDPR request, unless the request is excessive, a fee should not be charged to comply with the request and the information should normally be provided within a month and a day of the request being made.
Using a Processor for GDPR Subject Access Requests
As the controller of data, the requirement for providing the data lies with the organisation that holds it, not the processor who may handle it, though, if an external source handles the data, it may provide a reason for extending the time limit to providing the response to the GDPR request.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.