An individual (or a Data Subject) has the right to enquire whether you’re using his or her personal data, to be informed as to the why what, who and where of the processing, to request a copy of the data, to have it rectified or deleted and even to have it transferred to a different organisation. Can you guarantee these rights?
Exercising rights should be as simple as picking up the phone, sending an email or filling out a form. Your employees should be able to recognise and escalate a data subject access request (DSAR), but only staff who have been trained on how and when to respond to a DSAR should respond to them.
Step 1: Receiving a DSAR
First, decide how you want to receive requests. CCH GDPR Compliance provides you with an online form. You can customise it and direct all DSARs requests to the form. By collecting and logging all DSARs centrally, you can ensure none go missing. This is extremely important given that the regulation stipulates you reply to them within 30 days. The form is available under the Settings tab in the DSAR section. It can be fully customised, including the URL. Any requests generated by this form are logged as a request in the Subject Access section. Whoever in your organisation is responsible for that section will receive a notification as soon as the request comes in.
Step 2: Make sure it’s a valid DSAR
Our DSAR tool, helps you validate the request and document how you identified the requester. If you have doubts about the identity of the person making the request, you can ask for more information. However, it’s important that you only request the information necessary to confirm who they are. If you need more information security policy for small business to verify their identity, let the individual know as soon as possible. Once the information has been used to verify the identity it’s best to destroy it but make a note against the DSAR as to what was used, when it was received and who verified their identity. The period for responding to the DSAR begins when you receive the verification information.
Step 3: Responding to the request
Depending on the type of request, the software’s DSAR tool will make sure that you consider and respond to the request appropriately by prompting you to consider and take specific actions. Against any DSAR subject request management, you’ll be able to add notes and comments or additional documentation. You can see if the individual has made previous requests. And you can easily see what types of data you might be holding on that individual, where that data resides and whether it’s been shared with any third parties. You can assign the ticket to someone on your IT team to action it, in the event that data needs to be deleted or corrected.
When you feel you’ve appropriately responded to the inquiry and the data subject is satisfied, you can close the ticket. After two weeks it will be archived on CCH GDPR Compliance, so your resolution of the request can be accessed in the event that that becomes necessary.
Facts
Between 2010 and 2015, the Claimant entered into several ‘buy to let mortgages’ with the Defendant. The Defendant instigated possession proceedings which the Claimant unsuccessfully opposed. Over a period of two years, the Claimant made various DSARs, which the Defendant responded to.
Claim
In late 2019, the Claimant issued proceedings and sought various relief, including in connection with an allegation that the Defendant had failed to provide data, contrary to the Data Protection Act 2018 (DPA 18) and the General Data Protection Regulation (EU Representatives) 2016/679 (GDPR). Due to the dates on which the DSARs had been made, the relevant legislation was in fact the Data Protection Act 1998 (DPA 98).
Section 7(1) of the DPA 98 confers an entitlement on an individual to be provided with copies of personal data held by a Data Controller, such as the Defendant. Section 7(9) of the DPA 98 provides the Court with an ability to order a Data Controller to comply with a request if it is satisfied that the Data Controller has failed to meet its obligations under Section 7(1). Section 13 DPA 98 permits individuals to seek compensation for damages and distress from a Data Controller in the event that the Data Controller is found to have breached any requirements of that legislation. Comparable provisions are mirrored in the new regime under the DPA 2018 and GDPR Policy Template.
Held
The evidence before the Court demonstrated that the Bank had provided the Claimant with a response to each of his DSARs. In each case, the answer had been adequate. However, the Judge noted, in obiter comment, that even if he were wrong on that primary finding of fact and that there had been a failure to provide a proper request to one or more of the DSARs, the court has a discretion whether or not to make an order and, in this case, there were good reasons for declining to exercise the discretion. Those reasons included:
the issue of numerous and repetitive DSARs, which were considered to be abusive;
the real purpose of the DSARs being to obtain documents rather than data protection impact assessment; and,
there being a collateral purpose that lay behind the requests which was to obtain assistance in preventing the Defendant bringing claims for possession. A collateral purpose of the requestor wanting the material to assist in litigation is not an absolute exemption to the DSAR obligations2, but it is a relevant factor in the exercise of the court’s discretion.