This article looks at the ways in which the European Union's General Data Protection Regulation will reform the "subject access request" procedures that are already a feature of its data protection laws.

The new legislation is the first major revision of Europe's data protection laws for almost 20 years and takes account of the explosion of technology and social media in that time. The GDPR takes effect on 25 May 2018 and will represent a fundamental change in the relationship between members of the public and anyone who holds information about them – whether it is a business, a government department or a charitable organisation.

Familiar features

Everyone is familiar with the "right to be forgotten," which will allow people to ask for the erasure of personal data, the mandatory reporting of "data breaches" (a term found in the existing Data Protection Directive that refers to all manner of offences) to regulators within 72 hours of their discovery, the appointment of qualified data protection officers and fines of up to €20 million or 4% of global annual turnover (whichever is the greater) for the most serious transgressions.

The gravity of SARs

However, there will also be changes to "Subject Access Requests" (SARs). These are the mechanism through which anyone can apply to a data controller (a government, business or charity that holds information on people) to see the data it holds on him.

Not many people make SARs under the existing law and most of those who do are plaintiffs. A SAR is useful as a "pre-action discovery tool" in a contentious claim in which someone who suspects that he has a cause for action can gather evidence.

In this way, SARs represent a problem for organisations great and small. This is not necessarily because firms are reluctant to answer them - it is simply because they rarely hold data in such a way that allows them to extract it easily upon request.

One of the cornerstones of the GDPR, however, is its insistence that businesses should understand the data they have and be able to access it with ease when asked to do so. An increase in the scope of subject access requests is expected under the new legislation and the holders of data must be able to deal with those requests efficiently and in a shorter time than today. Proper preparation is vital if firms want to keep the process cheap.

The current situation

The existing directive states that an individual must make his request for personal data in writing by letter, e-mail or fax. A request should include the requester's full name, address and telephone number. If the organisation in question has a dedicated data protection officer, the request may be made direct to him or to the organisation's website. Alternatively, the firm's privacy policy might provide the necessary contact details.
 
Once the data-controlling organisation receives the SAR it must carry out a search that is "reasonable and proportionate" to locate the individual's personal data. The directive does not, unfortunately, offer its own interpretation of the word 'proportionate' for the benefit of compliance officers. Some people - perhaps most - think that a SAR that asks for "all of the information about me" is disproportionate. The requester should therefore state the nature of the personal data he wants, the better to help the data controller in his search.

The statutory time limit for a response to a SAR is currently 40 calendar days in the UK and Jersey and 60 days in Guernsey. It starts to run from the date on which the data controller receives the request and any other information that he/it may require, including a fee, identity documents and any further details that might help him/it to locate the personal data.

Under the existing law, data controllers can charge a prescribed fee for responding to a SAR, with the maximum set at £10. Different fees apply to requests for educational records, to paper-based health records and to requests made to credit reference agencies. The individual should ask for all the information he requires because the firm might charge him an additional fee for any further request.

The future

On 25 May 2018, as we have said, the GDPR will replace the Data Protection Directive and will come automatically into force in all EU countries. Article 15 deals with SARs and introduces a number of changes that give individuals more rights and widen the meaning of "personal data."

The most significant of these changes are listed below.

1. Freedom from charges
 
The GDPR requires every data controller to respond to every SAR free and gratis (which may embolden people to make more requests). That is to say the data controller should provide the individual with the first copy of his data free of charge, but may charge a reasonable fee to cover administrative costs for any further copies for which the 'data subject' might ask.

2. Refusal when the request is excessive

It is possible to refuse to respond to a SAR if it is manifestly unfounded or excessive (or, alternatively, it is possible to charge a reasonable fee for administration costs in this instance). In cases where the firm processes large volumes of personal data, the individual should specify the exact information or processing activities to which his request relates. The onus is on the data controller to prove that the request is manifestly unfounded or of excessive character. Only then can he/it turn the request down or charge an administration fee.

3. Electronic access and 'data portability'

The GDPR requires the data controller in question to communicate the personal data undergoing processing to the data subject, together with any available information with regard to its source. If the data subject makes the SAR electronically (i.e. by email), the information must be made available to him in a commonly used electronic form, unless he demurs.
 
This right is closely related to the new right under the GDPR to 'data portability,' which is designed to permit the individual to identify the types of data that controllers hold about him quickly and to extract that personal data in a compatible format for his own further use. He might pressurise data controllers to take technical and organisational steps to ensure that they can extract personal data quickly and efficiently from their systems and databases. The cost for this may well be significant.

4. Time for response

Data controllers will now only have one month to respond to a SAR. They may be able to extend this by a further two months by taking into account the complexity of the request and the number of requests but it seems likely that extensions of time will not be normal.

5. The right to withhold data

Under the GDPR an individual's right to obtain a copy of his data must be balanced against the rights and freedom of others. In cases where a third party's rights would be infringed, the firm can withhold data. Although this provision is similar to an existing one under the existing Data Protection Law, the rights and freedoms that are recognised in the EU will change under the GDPR. Furthermore, EU countries are likely to introduce "national derogations" for personal data that benefit from legal privilege or that would prejudice the enforcement of laws.

Next steps

Financial firms would do well to heed the following action points when preparing for the GDPR.

• Review your records, management systems and processes, both electronic and paper-based, and redesign them expressly to support the efficient discovery of information.
• Test your organisation's ability to isolate data relating to a specific individual in the necessary time period (i.e. quickly) provided that the GDPR allows.
• Identify a point of contact within the organisation that will deal with SARs and ensure that its/his contact details are easily available to data subjects.
• Roll out training to the necessary members of staff so they are able to recognise and respond to a SAR with alacrity.
• Create procedures or review any existing procedures regarding your firm's response to SARs and refusal of requests.
• Write up template response letters to ensure that all elements of a response to a SAR in accordance with GDPR are present.
• Consider putting a "subject access portal" in place to allow people to access their information easily online.

Although fines at the moment are comparatively low and the enforcement of the existing directive has arguably been light, the GDPR will magnify the penalties that every financial firm faces to a frightening degree. This is going to make compliance more important than ever. At the moment the UK's Information Commissioner's Office can issue fines of up to £500,000 for serious breaches of the Data Protection Act. Under the GDPR, as we have seen, it will soon have the power to do far worse.

* Sara Johns is available on +44 1534 514205 or at sara.johns@ogier.com; Michael Little, Ogier counsel, is available on +44 1534 514374 and at michael.little@ogier.com; Laura Shirreffs, an Ogier associate, is available on +44 1534 514096 and at laura.shirreffs@ogier.com