The 5th step to preparing for GDPR is subject access requests. Under the legislation individuals (data subjects) will have the right to access information that you hold about them.
Under the GDPR, individuals will have the right to obtain:
- confirmation that their data is being processed by the Credit Union;
- access to their personal data; and
other supplementary information
Before responding with the data you should verify the identity of the individual using ‘reasonable means’.
Format of the data to be provided
If the request is made electronically, then the ICO state that you should provide the information in a commonly used electronic format. Credit Unions will need to consider their IT arrangements so they can transfer the data securely.
Time Scales for responding to the request
Once you receive a data access request then you must provide the information without delay. The ICO website states this should normally be within one month of receipt of the request. This contrasts with the old legislation where you had 40 days.
You may be able to extend the period to three months. This can be done if the requests are complex or numerous. Where you do increase the time beyond one month then you must inform the data subject within one month of the request and explain why the extension is necessary.
Charging for the request
Under GDPR you will not be permitted to charge for subject access requests. This is another change from the previous legislation which did permit a fee.
Refusing to supply the information
Where requests are ‘manifestly unfounded or excessive’ you will be able to charge or refuse to respond. You will need to be able to prove why you came to this conclusion. Where you refuse to respond then you must explain why to the individual and inform them of their right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month. It is therefore important that you are sure of your grounds for refusing.
Under GDPR the Credit Union can also withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’.
How to prepare for data access requests
The Credit Union should take the following steps in preparing for data access requests:
- Staff will require training on how to handle these requests and to ensure they respond quickly.
- Consideration should be given to who will officially respond from the Credit Union.
- Policies and procedures will need to be updated accordingly.
- The Credit Union may want to consider template letters for dealing with responses.
- Consideration will be required as to how the information will be provided to the individual.