Responding to ‘right of access’ requests under GDPR

Much of the concern around the EU’s General Data Protection Regulation has focused on the potentially astronomical fines—up to 4% of global turnover—a company could suffer for failing to meet the GDPR’s stringent data privacy requirements. Of course, the key to avoiding those fines is preventing a GDPR violation in the first place.

At its core, GDPR is about protecting and strengthening individual control over the use of personal data for citizens in the European Union. As such, it applies to any company that collects or processes personal data on EU citizens. “The bottom line is that if your company is marketing, selling, or otherwise doing anything with European personal data, GDPR is something you will need to comply with,” Sonia Cheng, senior director at FTI Technology, said during a recent Compliance Week webinar.

Among the most onerous requirements under the GDPR from a compliance and operational standpoint will be responding to “right of access” requests from data subjects, including customers, clients, employees, board members, and third parties. Specifically, Article 15 of the GDPR gives EU citizens the right to obtain confirmation from data controllers as to whether their personal data is being processed.

If so, EU citizens have the additional right to request the following:

A copy of the personal data undergoing processing;

The purpose of the processing;

he categories of data being processed (e.g., name, address, birth date, web browsing behavior);

he recipients, or categories of recipients, to whom the personal data have been or will be disclosed, especially recipients in countries outside the EU; and

How long the personal data will be stored or, if that’s not possible, the criteria used to determine that period.

Article 15 further requires data controllers to provide a copy of processed personal data free of charge, essentially leaving companies to foot the bill for the administrative costs of having to provide the data. Only where requests are “manifestly unfounded or excessive”—in particular, repetitive—the GDPR permits data controllers to charge “a reasonable fee” for the administrative costs; or refuse to respond. A data controller that refuses to respond to a request, however, must explain its reasoning to the individual.

“The bottom line is that if your company is marketing, selling, or otherwise doing anything with European personal data, GDPR is something you will need to comply with.”
Sonia Cheng, Senior Director, FTI Technology

Administrative burdens. To provide a sense of how significant the administrative burdens could be to satisfy the potentially large volume of subject access requests (SARs) that may result, consider the hypothetical example of a mid-sized life insurance company with one million customers. If 5% of its one million insureds each issued one request per year, that’s 50,000 requests—1,000 per week, roughly 200 per day—that the insurance company would have to process.

During the Compliance Week webinar, Richard MacDonald, a sales engineering director for EMEA region at ZL Technologies, said that 5% of a company’s customer base requesting SARs is not an unrealistic estimate and, in fact, may even be conservative, particularly among industries that process massive volumes of personal information. MacDonald cited a survey commissioned by software company SAS, in which 48 percent of 2,000 U.K. consumers said they plan to exercise their rights over their personal data under GDPR, with 64 percent saying they welcomed the right of access.

According to the SAS survey, industries most likely to receive subject access requests included banks (32 percent); insurance (29 percent); energy suppliers (27 percent); and retailers (24 percent).  Others on the list included supermarkets (23 percent); and employers or former employers (22 percent).

In another survey, conducted by software company Macro 4, just seven percent of 1,000 U.K. consumers polled said they wouldn’t be interested in seeing what personal information companies are holding about them. In that survey, respondents cited numerous reasons for why they’d make an information request.

Among the reasons cited included: They suspect their personal information is being held without their consent (52 percent); they’re worried that the company is holding sensitive information on them (42 percent); or they believe the information being held about them is inaccurate (42 percent).

Thirty-nine percent said they’d consider making an information request out of curiosity to see what data companies are holding about them; 26 percent said they’d make a request based on the chance of compensation—if their privacy was being breached, for example—and 17 percent answered to “get back” at companies with whom they’ve had a negative experience.

The tight timeframe by which companies must respond to a SAR—without undue delay and within a period of just one month—makes GDPR compliance even more difficult. In a survey commissioned by Exonar, a developer of enterprise-scale big data discovery and machine learning technology for GDPR, only 14 percent of 112 IT and data-protection professionals polled said they can complete a SAR in less than three hours.

RIGHT OF ACCESS BY DATA SUBJECT

Below is a description of Article 15, “Right of Access by the data subject,” in the EU General Data Protection Regulation.
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Source: GDPR

Twenty-seven percent of respondents to the Exonar survey said it takes between one to seven days to process a SAR, while 43 percent said it takes longer. These are daunting figures when you consider the hypothetical scenario of 5% of a company’s customer base issuing SAR requests.

Clearly, Article 15 of the GDPR poses numerous operational concerns and complexities. Consequently, compliance, legal, audit, and IT teams should start to plan and implement the following measures to overcome these challenges:

Get your house in order. Adequate systems and processes must be in place to quickly and efficiently locate individuals’ personal information and to more easily manage the additional administrative burdens created by GDPR. Consider focusing first on the business units that most often handle personal sensitive information—such as HR, sales and marketing, research and development, finance, legal. From there, the business can start to analyze where these business units capture personal information and start to connect the dots.

Eliminate clutter. Many requests will not be actionable, and so based on the processes built around the data map, determine which requests require a response and which do not. The idea is to be able to easily identify if the request has come from an existing or former client, employee, someone that is not associated with the company at all. To reduce the risk of third parties gaining unlawful access to personal data, the GDPR explicitly enables data controllers to require data subjects to provide proof of identity. Thus, data controllers should develop an approach to authenticate the identities of individuals making requests.

Consider using a self-service solution. Companies that anticipate receiving a high volume of SARs may even want to consider putting in place a data subject access request portal, enabling individuals to access their information easily online, which will also help to streamline the intake and track the process and response of SARs, Cheng said. It’s also a good idea to develop template response letters to ensure that all elements of a response to a SAR comply with the GDPR.

Training and communication. Employee training is an essential part of dealing with a SAR. “Larger organizations will need to develop GDPR-specific training as part of broader employee onboarding and annual certifications,” Cheng said. “Firms may also need to develop specific policies and procedures around handing subject access requests.”

Update data retention policies. The GDPR enables individuals to request that their personal data be erased “without undue delay” when it’s no longer needed for the purposes for which it was collected or processed, or if individuals withdraw consent or objects to the processing, and there are no legitimate or lawful grounds for retaining the data. Thus, it’s essential that the company have in place a policy establishing how long data should be retained. “You have to have a records and retention methodology in place in your organization,” said Eckhard Herych, a partner at healthcare business consultancy firm Halfmann Goetsch Partner.

Test and audit systems. The company should assess its ability to quickly isolate data pertaining to a specific individual. Herych urged companies to “test your processes” prior to responding to a data subject’s access request. “Validate that the process works,” he said. “If you do not test it, you give yourself a false sense of security that you have it under control.”

GDPR compliance is not a one-off exercise, concluded Macdonald. “You’re going to be doing this again and again forevermore, basically,” he said, “so make sure you have good processes and good technology in place.”