A subject access request will require any company to turn over data it has collected on you, and it's pretty simple to do.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Individuals can get access to all of their data from a given firm, including their employer, by filing a subject access request.
- The GDPR will eliminate the cost for subject access requests and shorten the required response time from 40 days to 30.
The May 25 deadline for the EU's General Data Protection Regulation (GDPR) is fast-approaching, and the coming changes will greatly shift the ability of companies to interact with customer data.
Many people know the GDPR for its hard-line regulation around the "right to be forgotten," where an individual can request a company to erase the personal data it holds on them. However, it also contains the right to access any information that may be held by a company, including your employer.
The process for data access under GDPR will be mostly the same as it was under the Data Protection Act of 1998, but with a few slight differences. For starters, a person will need to file a subject access request (SAR) that, as noted by the Guardian, is simply "an email, fax or letter asking for their personal data."
SEE: GDPR consent request forms: Sample text (Tech Pro Research)
For clear guidelines on submitting an SAR, see the Subject access code of practice from the Information Commissioner's Office (ICO). There is no particular format required, as long as the request is made in writing.
There are two key differences between SAR requests made under the Data Privacy Act and those made under GDPR: The cost and time frame.
Before GDPR, the maximum fee that could be charged for access to your data was £10, or about $14. Under GDPR, however, that fee is being removed for standard requests. Although, the ICO also notes that a firm may charge a "reasonable fee" when "a request is manifestly unfounded or excessive, particularly if it is repetitive."
According to SAR guidelines from the ICO, an individual should have the personal data held on them described, be told whether their personal data is being processes, be told why it's being processed, be told if that data is being sent anywhere else, and be given a copy the data and details of its sourcing.
The other detail that will change with personal data access under GDPR is how long companies have to respond to your request. Under the Data Privacy Act, companies had 40 calendar days to respond once they received a request. Now, however, they will have to provide the data within one month of receiving the request. The company can file for an extension of an extra two months if the "requests are complex or numerous," according to the ICO's right of access page.
If the request is made electronically, the firm will provide the data in an accessible electronic format. However, the ICO's page notes that GDPR best practices recommend companies establish a secure self-service portal system for easy access.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- GDPR Compliance: For many companies, it might be time to panic (ZDNet)
- EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
- DNS is about to get into a world of trouble with GDPR (ZDNet)
- GDPR: Regulatory compliance is just the beginning (TechRepublic)