Analysing a GDPR data request
The content of this blog is provided for information purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to your organisation.
GDPR has been in place for a while now – have you received a data request and that you’re not sure where to start with? Here’s a quick guide to how to handle this.
- Recognise you have a request – Requests can come in lots of different forms and so it’s important to make sure you understand when you are receiving one. Requests can be made via email, verbally or written – essentially through any medium. One thing that can make it easier to recognise a data request is using a form – but remember this only makes it easier for both parties, it doesn’t mean that you can ignore requests made in another format. A huge part of GDPR is the ability to prove compliance, so make sure that you are keeping logs of any data requests received even if they are not completed in the way originally expected. Some requests may be withdrawn, adjusted, or not possible to meet, but you should still keep track of them.
- Identify your subject – It’s a common thought that you need to request photo identification to identify the subject. However, you should consider whether there is enough existing data collected to identify them already. You should avoid collecting extra personal data where possible.
- Is the request unfounded or excessive? You must consider this question carefully. The ICO advises that you are within your rights to request a fee or deny a request should it fit either of the two criteria – unfounded or excessive. If you decide that the request is unfounded or excessive you must justify why and inform the subject of their rights, which includes the right to lodge a complaint with the ICO.
- Notify the employees involved – The employees involved will play a part in any request received. Whether they are involved in helping to complete the request or they hold some of data related, you should advise them along the way. Consider notifying other employees to freeze processing of any data when a request is received, this way you can avoid any unwanted actions. It is particularly important with a subject access request to avoid erasure before the request is completed.
- Send receipt of the request to the subject – When you receive the request, it is good practice to let the subject know you are working on it. You can do this by replying to them to discuss the scope of the request and inform them of their rights. Some subjects may have a specific reason for making the request and if this is discussed it can help to ensure you are as helpful in fulfilling that purpose as possible.
- Identify the information held – A big step – what information about the subject do you hold? How much of that data are they applying the request to? Are third parties involved? Think about these questions, they could change the way in which you respond to the request. A lot of the time you will need to collect or isolate this data, so it is good to know exactly what is included.
- Complete an impact assessment on third parties – Where third parties are involved you should seek their consent and consider completing an impact assessment. Look at how disclosing the third party’s information may affect the third party and evaluate whether it is acceptable.
- Consider any exemptions – There are a range of things that can be considered an exemption from the data request. Look into these and check whether they apply. Should an exemption apply you must inform the subject, again don’t forget to include a summary of their rights.
- Review the data – With any request you should review the data it is applied to. Check the processing for GDPR and DPA compliance. You don’t want any surprises!
- Consider the specifics – With different rights come different steps to think about. Starting by following these steps helps you to analyse the request, although you will need more detail on completing the specific requests after analysis. Keep an eye out for the specific data request tips that are coming soon.
How we can help you
We work with many clients on projects relating to GDPR compliance. There’s an overview of the different ways we can help you and the various GDPR-related resources we have available here. Get in touch if you’d like to talk more about how we might help you.