GDPR Data Subject Access Request
We are very close to 25th May 2018 when we know the GDPR or General Data Protection Regulation will become law. The GDPR has been around since May 2016 but businesses and other who control or process EU Citizens personal data were given two years to prepare for its arrival. There are a number of important steps Credit Union must do.
As we approach May, it is important that your credit union prioritises steps to prove that you are making efforts to comply with the GDPR. One of these steps is that you should start writing within your new GDPR procedures a Data Subject Access Request or DSAR procedure. There are of course many important parts within our GDPR procedures, and it might seem writing a Data Subject Access Request is not urgent, however it is a requirement within the GDPR and its best to get it done and right.
Firstly, what is a data subject access request?
The GDPR introduces the Right of Access for individuals and from May 2018 data subjects (our members) will have the right to request, 1.Confirmation that their data is being processed, and 2.Access to their personal data, 3. Other supplementary information which can relate to information provided in the credit unions privacy notice.
Recital 63 of the GDPR states, says, a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
The current laws around access to data are very similar to what the GDPR requires, however there are some key changes you should be aware of under the GDPR, firstly, in most circumstances, the information requested must be provided free of charge. However, organisations including credit unions are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. This fee must be based on the administrative cost of providing the information. Secondly, Information must be provided without delay and within one month.
Where a data request is complex or numerous, credit unions are permitted to extend this one month period to three months. However, they must still respond to the request within a month to explain why the extension is necessary. Data subjects, again your members must be able to make requests electronically as well as physically.
Importantly data subject access requests or DSAR can now be made in any form, i.e. email, phone call or web contact forms, so we should have a robust system in place to track these requests.
The Information Commissioner's Office has said, “Where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to (Recital 63).” In the credit union space we are less likely to process large quantities of personal data, compared for example to some banks who might hold significant personal data on company directors for example.
The credit union should write a data subject access request procedure as a priority so that you are ready to handle any requests that come through once the Regulation is enforced.
It does not have to be complex as the relationship we have with our members is not complex, but all staff should b aware that the request can be made and the procedure following that request.