The General Data Protection Regulation contains numerous references to a “data subject”, before going on to outline their rights under the legislation. But who is the data subject, and why do they matter so much to your business?
Finding the definitions
Article 4 of the GDPR outlines all the key terms used in the legislation, except “data subject”. Paragraph 1 provides some useful guidance however:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Teasing that definition out, a data subject must:
- Be a real person.
- Own personally identifiable information that is stored and processed by your business.
- Be identifiable using the information you store.
Companies and other non-human entities are excluded in this definition, so they cannot be considered data subjects in terms of the GDPR.
It is critically important to realise that the data subject is at the centre of everything the GDPR sets out to achieve. All 99 articles exist for the protection of data subjects – EU citizens – and their right to privacy.
GDPR – strengthening the rights of EU data subjects
Under existing data protection legislation – like the UK’s Data Protection Act 1998 – people already had certain protections relating to their personal data. Businesses were supposed to keep data only for as long as strictly necessary for instance – but many ignored or abused these rules.
Existing laws simply could not keep pace with new technology and the way that businesses store and process personal information – which is why the GDPR was created. Data subjects now have a number of new rights to help them better control access to their personal information.
Introducing Article 15 – “Right of Access”
The need to secure permission to store and process personal information under the GDPR is relatively well understood. Most organisations have already begun to collect consent from new and existing customers.
More difficult to understand and implement however is the “right of access” granted to data subjects in Article 15 of the GDPR. The regulation specifies:
Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data
Any EU citizen can now ask if you have their information stored. Not only that, but they can ask:
- What you have.
- Why you have it.
- What you are doing with it.
- How long you will keep it.
For each “right of access” request you will need to generate a report giving the answers to these questions.
For prospects on your email list, the report will probably be very short, including little more than the person’s name, email address and their phone number, depending on what they gave you when they registered. The reasons for storing their data are equally simple – to send them occasional sales emails or newsletters.
For converted leads and established customers, the report will be more extensive. As well as basic contact details, you will need to tell them about any notes created by their account manager, calls logged with your service department and any other details you may have collected over the course of your working relationship.
You must also tell each data subject when and where you may have acquired information indirectly. This may be through buying a mailing list from a trusted third party, or during a corporate merger.
More than just a report
The right of access is more than just producing reports however. When a data subject contacts you, they also have the right to request a copy of all of their data.
According to Paragraph 3, this data export must be provided free of charge. If the request is made electronically – the individual emails you – the information can be supplied in a “commonly used electronic form”.
GDPR expects the extracted data to be “portable”, so it must be supplied in a format that the subject can use. CSV, RTF, DOC and XLS exports are preferable because there are plenty of ways to access and use the information. PDF reports do not meet the portability criteria, so be careful about which file formats are used to fulfil customer requests.
If the individual makes another data export request at a later date, you are allowed to “charge a reasonable fee based on administrative costs”.
Paragraph 3 also contains a helpful reminder:
The controller shall provide a copy of the personal data undergoing processing. This means that you must not keep data that is not being processed. Unless required for statutory reasons – financial reporting or account management for instance – data that is not being processed has fulfilled its use and must be deleted.
Don’t wait around
The GDPR does not outline any specific timeframes for responding to subject access requests – just that they must be completed in a timely manner. Interpreting “timely” is a matter for national data commissioners but the expectation is that you have 30 days to respond and complete each request.
This could become a problem if your business stores personal information across a number of applications and databases. Collecting, collating and exporting data from across the network could be a particularly complicated exercise. Especially when the GDPR expects you to document and export older data held in your cold storage archives too.
Data subjects include everyone
Much of the focus on subject access requests has been on customers and prospects. But the GDPR applies to everyone, including your employees.
This means that employees can make subject access requests – and that your business must fulfil them in exactly the same was as any other.
How to fulfil an Article 15 subject access request
You will need to build a process to ensure that requests are handled correctly. Your process should include:
- A confirmation message – You should send a message to the individual confirming you have received their request as soon as possible.
- Collate the information quickly – Begin the process of collating information belonging to the individual.
- Involve other departments – There is a very good chance that customer data is being stored in de-centralised systems too. Creating a process that includes non-IT departments ensures that no personal data is missed – and that your access request routines are fully GDPR compliant.
- Record data uses – As departments report back, ensure that you record where the data is being stored and what it is being used for.
- Convert data exports if required – Remember, exported data must be portable, so convert it into an editable format before sending back to the data subject.
- Deliver data to the subject – in most cases, a secure digital download should be sufficient.
Preparation is key
Simple in concept, subject access requests can become quite complex in practice – which is why you need to have the fulfilment process defined in advance. There is one more thing you can to do simplify the process – audit personal data storage locations before you start receiving requests.
You should carefully check your IT systems to determine where personal data is being held, what it is for, and who oversees it. By keeping a register of this information you can avoid information being missed, lost or stolen – as well as making it easier to export when an access request is received.
As individuals become more aware of the value of their personal data – and how unscrupulous organisations have been abusing it – you will see an increase in the number of access requests received. So long as you have a robust process in place to handle these requests, your business will have no problems maintaining GDPR compliance.
For more help and advice on collecting the processing data requested by your customers, please get in touch.