GDPR requires all organisations within its scope to give data subjects the right to review the personal data being held on them. 

Individuals can make this request by submitting a DSAR (data subject access request), which organisations must respond to by providing: 

  • Confirmation that the individual’s data is being processed. 
  • Access to their personal data. 
  • The purpose for processing the data including the legal ground for doing so. 
  • The recipients (or categories of recipients) to whom the personal data has been or will be disclosed. 
  • The estimated period for which the personal data will be stored (or, if this hasn’t yet been decided, the criteria used to determine that period). 
  • A reminder that the data subject has a right to object to the processing, request the rectification of the data or lodge a complaint with a supervisory authority. 
  • Any relevant information about how the personal data was obtained. 
  • Information about automated decision-making, including profiling, and the reasoning for and potential consequences of the automation. 

Data from all searchable sources
GDPRs scope is all filing systems, including unstructured data, and goes beyond processing in electronic forms. This means GDPR prevents situations where data protection law could be by-passed by keeping information in paper form during a particular stage of processing. This means that the right to access to data includes also files, emails and physical documents organized in a register.

You must know the individual
The processor is responsible to know what personal data they are processing about every individual. This means that there is no obligation for the data subject to provide an extensive list of all possible personal identifiers that might exist within the processors filing system. Instead, it is enough for the data subject to provide only one accurate personal identifier, for instance a social security number, email-address or telephone number, and the processer must find all combinations of other personal data that makes it possible to identify the individual.

You cannot charge a fee
In most circumstances, organisations will need to provide subjects with a copy of the information they request free of charge. However, organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. 

This fee must be based only on the administrative cost of providing the information. 

Organisations can also refuse to grant excessive, unfounded or repetitive requests. If they do this, they must explain to the individual why they are refusing to comply, and inform them of their right to appeal to the organisation’s supervisory authority.

One month to respond
GDPR states that organisations must provide the requested information without delay and within a month. 

Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary. 

Allow electronic requests
There are no specific rules for how such a data subject request must be made; individuals can simply say, for instance, “I’d like to see what personal data you have on me” or make the request by email. It is, however, the responsibility of the processer to assure the correct identity of the subject that is making the request.

Where a request is made electronically, the information must be provided in a commonly used file format. 

Similarly, GDPR states that data controllers should, where possible, provide “remote access to a secure system which would provide the data subject with direct access to her or her personal data”. 

Do not disclose others
Files and emails almost always includes personal data from several individuals. Under GDPR, it is considered a breach to disclose personal data of others than the subject requesting the information. This means that all documents and emails that are handed over to the data subject must be masked in a way where all other individuals personal data is redacted.

The obligations for the processor under GDPR put all organisations in risk if they are not prepared to handle and deliver on requests. Even though the organization might be able to handle a single request within the time frame, one must also consider the consequences of unhappy customers or formal employees filing multiple requests at the same time. GDPR makes privacy Denial-of-Services attacks possible.

The solution to this is to be prepared.

By performing a privacy data inventory, which is already mandatory under article 30, and take control over the personal data, there is no need to launch an ad-hoc data discovery and legal assessment project for each request.

Instead, a simply search within the inventory´s meta-data returns all relevant information, including purpose, retention period and legal basis.

An inventory also automatically creates the data subject´s individual information model, automatically finding all personal data in combination that makes it possible to identify the subject.

The inventory also makes automation of masking and redaction of other individuals possible, eliminating a very time-consuming activity.

With an inventory in place, a request that any organization will struggle to comply to within a month, can be performed in seconds.