If you collect and process personal data about somebody, they may have the right under the GDPR to ask you what data you have and how you use it. The GDPR sets down clear rules for how you must respond to this request, including how and when you provide information.

We'll show you what you need to do to comply with the requirements to be compliant with the law, and keep your customers happy.

The rules on data access requests are set out in the full text of the General Data Protection Regulation, which took effect on 25 May 2018.

It's important to realize the GDPR is not a European Union directive, which is a set of principles that countries must incorporate into domestic law. Instead it is a European Union regulation, which means it took immediate legal force in all European Union countries.

The GDPR is made up of articles (the clauses of the law) and recitals (a series of guidelines on how the law should be applied). Both of these affect how organizations should respond to data access requests.

The specific rules on handling data requests are underpinned by two of the key principles that the GDPR lays down for data handling, listed in Article 5.

Firstly, personal data must be "processed lawfully, fairly and in a transparent manner in relation to the data subject." Data access is part of this transparency.

Secondly, "every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay." Data access helps highlight inaccuracies so they can be corrected.

Pre-empting Privacy Access Requests

Pre-empting Privacy Access Requests

You can cut down on the need for many data requests by fully complying with the GDPR's rules on what information you provide to a data subject at the time you originally collect the data.

The required information, listed in Article 13 includes:

  • What personal data you collect
  • Your identity and contact details
  • The contact details of your Data Protection Officer (if you have one)
  • Why you are collecting the data. This must be one of a limited range of "legal bases" defined by GDPR.
  • Whether you'll pass the data on to anyone else
  • If you plan to transfer the data outside of the European Union and, if so, what steps you'll take to make sure it remains safeguarded
  • How long you'll keep the data (or how you will decide when to delete it)
  • The fact that the data subject has the right to access and correct the data
  • How the data subject can withdraw consent for collecting data and what practical effects this will have
  • The fact that the data subject has the right to complain to a "supervisory authority." This authority will depend on the country)
  • Whether there's a legal or contractual reason the data subject must consent to data collection
  • Whether you use the data for automated decision making

For the most part, data controllers must provide the same information both for people who've already provided personal data and for people who are considering doing so.

A Privacy Policy is often the best place to include this information.

For example, this clause from the CNN Privacy Policy covers the transfer of personal data outside of the EU:

CNN Privacy Policy: International Transfer clause

This example from the Shell Driver's Club UK Privacy Policy covers the right to take complaints to a supervisory authority and how a customer can do so via multiple different methods:

Shell Driver's Club UK Privacy Policy: Contact clause

The more thorough your Privacy Policy is from the beginning, the less access requests you may receive, so make sure to take the time to create a GDPR-compliant Privacy Policy.

Responding to Data Access Requests

Responding to Data Access Requests

Article 12 of GDPR gives clear and detailed rules on how you must provide data in response to a request, while Article 15 details what data you must provide. Here's what you need to know.

What Content to Include

You must provide information that's specific to the user.

For example, if you state in your Privacy Policy that you collect data directly from customers and include a general list of what you may collect, you'll need to tailor your response to include the exact information you have on the user making the request. Saying you collect birthdays from people won't work here. You need to send a response that lets a user know that "we have your birthday as xx/xx/xxxx."

Article 15 says the data subject can ask whether you process personal data about them (and get a copy of this data) and can obtain the following specific information:

  • The purpose for which you process the data
  • What types of data you process
  • Who you've passed the data on to
  • How long you'll keep the data (or how you will decide how long)
  • Where you got the data from
  • Whether you use automated decision-making

You'll also need to tell the data subject about their rights to ask you to correct, delete or stop processing data, along with their rights to complain to a supervisory authority.

Recital 63 clarifies that if the data subject asks for a large amount of information, it is acceptable to clarify what they want to see and to ask them to list specific information or the specific "processing activities" they are asking about.

Format of Response

In most cases, you should provide the information in writing, which can include electronic communications.

If the access request was made electronically, you should normally respond electronically unless the data subject says otherwise.

If the data subject asks you to provide the information orally (such as in person or on the phone) you can do so. However, you must already have proof in writing of the person's identity.

Writing Style of Response

When responding to a data access request, you should be concise and use "clear and plain language" so that your response is intelligible. This is particularly the case if you are addressing a child.

You could follow the lead of the Privacy Policy of the BBC which uses language that is as clear as possible while still being accurate:

BBC Privacy Policy: Data retention clause

Timeframe to Respond

Normally you should respond to a data access request within one month. If the requests are particularly complicated or repetitive, you can extend this to three months. If you do so, you must inform the data subject within one month that you are using the longer timescale and say why.

Note that although these timeframes are deadlines, GDPR clearly says you should respond "without undue delay." This means you can't simply put off responding until the month or three months is nearly up for no legitimate reason.

Charging Fees

Normally you cannot charge a data subject any fees for responding to a data access request.

You can only charge a fee if the requests are "manifestly unfounded or excessive," for example if they are repetitive. If you do charge a fee in such circumstances, it must be reasonable and reflect your actual administrative costs. The burden is on you to prove the requests are "manifestly unfounded or excessive."

The Guardian's Privacy Policy explains both the timescale and fees for dealing with access requests in a very informative clause:

The Guardian Privacy Policy: Your rights with regard to the personal data we hold about you clause

Remote Access to Data

Recital 63 explains that where possible you should offer data subjects remote access to their data. This will reduce the need for data access requests.

If you do this, it's vital that the remote access be secure. You must also make sure this access doesn't breach any intellectual property rights or violate anyone else's privacy.

Tips For Compliance

Tips For Compliance

You can take several steps to make it easier to comply with the GDPR's data access rules.

  • Appoint a single member of staff to be ultimately responsible for GDPR data access compliance.
  • Make sure that member of staff has the organization and access to accurately assess what data you collect, how long you keep it, why you keep, how you use it, and whether you share it.
  • Establish a principle of only collecting data where strictly necessary for your operations.
  • Establish a clear and accurate process to verify the identity of somebody making a data access request as well as assessing whether the request is valid. This process should be as quick and smooth as possible for the data subject without compromising accuracy.
  • Set up a clear procedure for gathering together the required information to respond to a data access request quickly but accurately. This may involve technology and software.

Other GDPR Requests

Other GDPR Requests

Data subjects may make several other requests alongside or as well as a data access request. These include:

  • Asking you to correct inaccuracies in the personal data or add their own note to complete any incomplete data
  • Asking you to remove any personal data that is no longer needed for the reasons you originally gave for collecting it
  • Asking you to stop processing data until you have settled a disagreement about the data's accuracy or the lawfulness of its processing

It's usually easiest to build your procedures for responding to these requests into your overall process for data protection requests.

Summary

Let's recap what you need to know to comply with the GDPR's data access rules.

  • The GDPR sets out legal obligations that apply if you process or control personal data and either you, the data subject, or the processing is in a European Union country.
  • Responding to data access requests is part of meeting key principles on transparency and data accuracy.
  • Data subjects have the right to know several points about what data you collect and how you use it, as detailed in Article 15 of the GDPR.
  • You should normally provide this information when you originally collect personal data, such as in a Privacy Policy.
  • Data subjects have the right to ask for this information later on, for example to check that you have accurate data and are using it lawfully.
  • You can provide information in writing (including electronically) or orally depending on the data subject's preference. If you provide it orally, you must verify the data subject's identity.
  • You must provide data as quickly as possible. Usually this must be within a month, though in some cases the deadline is extended to three months.
  • Normally you can't charge a fee unless the data request is excessive. Even then, the fee has to be reasonable and based on your actual costs.
  • Data subjects may also ask you to correct or remove data, or stop processing it until you resolve a dispute over its accuracy or lawfulness.
  • You can minimize the burden of data access compliance by having clear procedures for auditing what data you collect and how you respond to requests, including verifying identity and validity.