Dealing with data subject access requests

A data subject access request is a right to access personal information under Article 15 of the EU General Data Protection Regulation (GDPR). Clients and other employees have a right to access and obtain a copy of their personal data. For example, Clare has an argument with her solicitor about the fees she was charged for her criminal case. She believes her solicitor has overcharged her for the work performed. She sends her solicitor an email asking to see copies of all the information that the solicitor holds about her. Clare has made an access request.

GDPR – a quick reminder

GDPR is an EU regulation that regulates the processing of personal data. The GDPR applies to companies processing personal data if those companies are either:

1. In the EU, or

2. Outside the EU but:  

a    offering goods or services to individuals in the EU; or

b    monitoring the behaviour of those individuals in the EU (for example, by tracking their online behaviour).

We need to talk about Brexit

GDPR continues to form part of UK domestic law after Brexit. This is due to the European Union (Withdrawal) Act 2018. The Data Protection Act 2018 will continue to facilitate the application of GDPR standards in the UK.

Personal data – a reminder

Article 4(1) of GDPR states that ‘personal data’ means: any information relating to an identified or identifiable natural person (‘data subject’). Any data that relates to an individual is likely to be their personal data. So what are the consequences of ignoring the rules on GDPR access request rules? There are three potential consequences:

• A fine: breach of the rules on access requests can lead to a fine. The maximum fine under GDPR is up to €20m or 4% of total worldwide annual turnover, whichever is higher, although fines levied by regulators must be ‘proportionate’.
• Legal action: any person who suffers damage as a result of a breach of their GDPR access rights can sue for compensation.
• Criminal offence: it is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the access request would have been entitled to receive.

Does the client have to make their access request in writing?

A person can make an access request in any form, including by email, letter, social media message or even orally. The request does not have to say that it is a subject access request, nor does it have to mention GDPR.

How long does my firm have to comply with an access request?

Access must be provided within one month of receipt of the request. The time limit may be extended by a further two months if the requests are numerous or complex.  

Must I find every scrap of personal data on the requestor if they make an access request?

Deer v University of Oxford [2017] EWCA (Civ) 121 sheds light on this subject. In this case, Lord Justice Lewison said ‘the implied obligation to search… is limited to a reasonable and proportionate search… the result of a search does not necessarily mean that every item of personal data relating to an individual will be retrieved’.

Why do law firms dislike access requests so much?

They can be very expensive. In the case of Deer, an employee made a request to their employer; 500,000 emails had to be reviewed and the access request was estimated to have cost the organisation £116,116.

What should I do to ensure my firm stays on top of access requests?

Clean out the house! Records management is too often ignored within law firms. Firms must ensure that old client data is subject to deletion time limits. Taking the time to do this means there is less data to sift through in the event that you receive an access request.

Put a written procedure in place to deal with access requests within your firm

This is an instruction manual on how your law firm will deal with such requests. The procedure should include:

• details on how individuals can make an access request;
• how the person’s identity is verified before granting the request;
• how the firm should search for the data; and
• how the data is reviewed before being sent out.

Train, train, train

Many of your staff will interact with clients. Would each of those staff members know what to do if a client said to them, ‘I want a copy of my data’, or, ‘I want to access all my data’? They should know because that customer has just made an access request, and the clock is now ticking. All staff should do an annual training module or session on GDPR that includes details on access requests. Act now to ensure your firm can deal with access requests.

 

Patrick O’Kane is a barrister. He is head of privacy at a Fortune 500 Company and author of A Practical Guide to Managing GDPR Subject Access Requests (Law Brief Publishing)