A knowledge topic entry request is a proper to entry private info below Article 15 of the EU Common Information Safety Regulation (GDPR). Shoppers and different staff have a proper to entry and procure a duplicate of their private information. For instance, Clare has an argument together with her solicitor concerning the charges she was charged for her legal case. She believes her solicitor has overcharged her for the work carried out. She sends her solicitor an e-mail asking to see copies of all the data that the solicitor holds about her. Clare has made an entry request.
GDPR – a fast reminder
GDPR is an EU regulation that regulates the processing of non-public information. The GDPR applies to firms processing private information if these firms are both:
1. Within the EU, or
2. Outdoors the EU however:
a providing items or companies to people within the EU; or
b monitoring the behaviour of these people within the EU (for instance, by monitoring their on-line behaviour).
We have to speak about Brexit
GDPR continues to kind a part of UK home legislation after Brexit. That is as a result of European Union (Withdrawal) Act 2018. The Information Safety Act 2018 will proceed to facilitate the applying of GDPR requirements within the UK.
Private information – a reminder
Article 4(1) of GDPR states that ‘private information’ means: any info referring to an recognized or identifiable pure individual (‘information topic’). Any information that pertains to a person is more likely to be their private information. So what are the implications of ignoring the principles on GDPR entry request guidelines? There are three potential penalties:
- A effective: breach of the principles on entry requests can result in a effective. The utmost effective below GDPR is as much as €20m or 4% of complete worldwide annual turnover, whichever is greater, though fines levied by regulators have to be ‘proportionate’.
- Authorized motion: any one who suffers harm on account of a breach of their GDPR entry rights can sue for compensation.
- Legal offence: it’s a legal offence to change, deface, block, erase, destroy or conceal info with the intention of stopping disclosure of all or a part of the data that the individual making the entry request would have been entitled to obtain.
Does the consumer need to make their entry request in writing?
An individual could make an entry request in any kind, together with by e-mail, letter, social media message and even orally. The request doesn’t need to say that it’s a topic entry request, nor does it have to say GDPR.
How lengthy does my agency need to adjust to an entry request?
Entry have to be offered inside one month of receipt of the request. The time restrict could also be prolonged by an additional two months if the requests are quite a few or complicated.
Should I discover each scrap of non-public information on the requestor in the event that they make an entry request?
Deer v College of Oxford  EWCA (Civ) 121 sheds mild on this topic. On this case, Lord Justice Lewison stated ‘the implied obligation to go looking… is proscribed to an inexpensive and proportionate search… the results of a search doesn’t essentially imply that each merchandise of non-public information referring to a person might be retrieved’.
Why do legislation companies dislike entry requests a lot?
They are often very costly. Within the case of Deer, an worker made a request to their employer; 500,000 emails needed to be reviewed and the entry request was estimated to have price the organisation £116,116.
What ought to I do to make sure my agency stays on high of entry requests?
Clear out the home! Data administration is just too usually ignored inside legislation companies. Companies should make sure that outdated consumer information is topic to deletion closing dates. Taking the time to do that means there’s much less information to sift by within the occasion that you just obtain an entry request.
Put a written process in place to take care of entry requests inside your agency
That is an instruction guide on how your legislation agency will take care of such requests. The process ought to embody:
- particulars on how people could make an entry request;
- how the individual’s id is verified earlier than granting the request;
- how the agency ought to seek for the info; and
- how the info is reviewed earlier than being despatched out.
Practice, practice, practice
A lot of your workers will work together with shoppers. Would every of these workers members know what to do if a consumer stated to them, ‘I need a copy of my information’, or, ‘I wish to entry all my information’? They need to know as a result of that buyer has simply made an entry request, and the clock is now ticking. All workers ought to do an annual coaching module or session on GDPR that features particulars on entry requests. Act now to make sure your agency can take care of entry requests.
Patrick O’Kane is an in-house barrister and head of privateness at a Fortune 500 Firm. He’s creator of A Sensible Information to Managing GDPR Topic Entry Requests (Legislation Transient Publishing)