New law: New data protection rules will change how organisations handle requests for information about personal data held by them
Organisations 'processing' the personal data of individuals should review how they handle 'subject access requests' (SARs) from individuals about the personal data held on them, ahead of new laws from May 2018.
The General Data Protection Regulation (GDPR) is a new EU Regulation that strengthens and unifies data protection for individuals within the EU and regulates the export of personal data outside the EU. Its aim is to give citizens control over their personal data and simplify the regulatory environment for international business.
As an EU Regulation, the GDPR has direct effect on the UK with no need for enabling UK law. The proposed introduction date is 25 May 2018 and will come into force here as the UK will still be in the EU at that time (notwithstanding the UK 'Brexit' vote).
Much of the new law will be the same as existing UK law, but there are important differences. One change is in relation to the rules on SARs - how individuals can exercise their right to ask to see personal data held on them.
The new rules include:
Individuals must be given the means to make SARs electronically.
Organisations must respond to SARs within one month (which is faster than currently).
They will not be able to charge a fee for complying with a SAR unless it is 'manifestly unfounded or excessive'.
If they claim it is manifestly unfounded or excessive they must produce evidence justifying their claim.
An organisation's response must make clear what personal data it holds and how it is processing (collecting, storing and using) that data, and may have to contain additional information such as the period for which the data will be retained.
Organisations should be considering changes they need to make to their policies, procedures, standard documentation and IT systems now, in anticipation of the implementation of the GDPR
Authorised and Regulated by The Solicitors Regulation Authority. Authority number 591294.
For details of the professional rules governing the conduct of solicitors go to www.sra.org.uk/code-of-conduct.page