DATA SUBJECT ACCESS REQUEST POLICY
Why do we need a Data Subject Access Request Policy?
As of 25 May 2018 the UK’s, and Europe’s, laws regarding data protection will undergo a substantial change as a result of the General Data Protection Regulation (GDPR), and the Data Protection Act 2018 which is the UK’s legislation mirroring GDPR.
Amongst the many changes brought about by GDPR and the Data Protection Act 2018, one of the most notable is the ability for data subjects to more easily access the personal data a business holds about them. In addition, the deadlines for responding to any requests are very short and failures to respond within the set deadlines or with the correct information could lead to substantial fines and reputational damage for DVW.
By following this simple process, we can ensure that any subject access requests we may receive are dealt with by the appropriate people within DVW and within the timescales set out in the law.
Amongst the many changes brought about by GDPR and the Data Protection Act 2018, one of the most notable is the ability for data subjects to more easily access the personal data a business holds about them. In addition, the deadlines for responding to any requests are very short and failures to respond within the set deadlines or with the correct information could lead to substantial fines and reputational damage for DVW.
By following this simple process, we can ensure that any subject access requests we may receive are dealt with by the appropriate people within DVW and within the timescales set out in the law.
What is a Data Subject Access Request?
A data subject access request is a request by a person for DVW to send to them copies of some, or all, of the personal data DVW is holding about them. Data subject access requests can take any form, including over the phone or in person, so we must be alert to when one may have been made.
A subject access request entitles the data subject to information which contains their personal data. It does not entitle the data subject to all word documents, e-mails etc. which they were copied in on, or which relate to work or projects they were involved in. Where a document contains personal data but also information about other third parties which should not be disclosed in accordance with the above considerations, or contains information which is not personal data, then the document can be provided to the applicant with the information which is not their personal data redacted (blacked out) of the document.
A subject access request entitles the data subject to information which contains their personal data. It does not entitle the data subject to all word documents, e-mails etc. which they were copied in on, or which relate to work or projects they were involved in. Where a document contains personal data but also information about other third parties which should not be disclosed in accordance with the above considerations, or contains information which is not personal data, then the document can be provided to the applicant with the information which is not their personal data redacted (blacked out) of the document.
Responding to a Data Subject Access Request
If you have reason to believe a data subject access request is being made (for example, during a phone call) then you should attempt to clarify whether or not the person you are communicating with is, in fact, making a data subject access request. At the very least you should make a clear note of the person’s name, contact details and date and time of the call so that DVW can correspond with them regarding the request they may have made.
Once you are confident that you have received a data subject access request, or are unsure whether or not one has been received, you must immediately speak with Gerlize de Villiers or, in Gerlize’s absence, DVW’s CEO, who will take responsibility for processing the request. The timescales for responding to a data subject access request are very short and DVW will need as much time as possible to deal with the request properly. A failure to respond within a month could result in DVW being subject to substantial fines and reputational damage.
You must provide Gerlize with any support she requests in respect of responding the request, including providing her with copies of any notes, emails or correspondence you have had with the person making the request.
It is Gerlize de Villiers’s responsibility to respond to a data subject access request. DVW must not send a response without the approval of Gerlize de Villiers.
Data subject access requests must be complied with promptly, and in any event, within one month of the request being made. This time will only ever be extended where DVW believes that the request is unusually complicated. This decision can only be made by Gerlize de Villiers in conjunction with DVW’s external advisors and, if necessary, the ICO.
DVW is entitled to ask the data subject for further information to help us find the data requested. For example, DVW could ask for the dates an employee was employed by us or at which site they worked. The one-month period does not start until this additional information is received.
In accordance with the Data Protection Laws, DVW will not charge for responding to a subject access request.
DVW will always provide the data subject with the response to the subject access request in electronic form (via e-mail) unless the data subject specifically asks for it to be provided in an alternative form. DVW has an approved Subject Access Request Response that must be used for all formal replies to a subject access request.
Once you are confident that you have received a data subject access request, or are unsure whether or not one has been received, you must immediately speak with Gerlize de Villiers or, in Gerlize’s absence, DVW’s CEO, who will take responsibility for processing the request. The timescales for responding to a data subject access request are very short and DVW will need as much time as possible to deal with the request properly. A failure to respond within a month could result in DVW being subject to substantial fines and reputational damage.
You must provide Gerlize with any support she requests in respect of responding the request, including providing her with copies of any notes, emails or correspondence you have had with the person making the request.
It is Gerlize de Villiers’s responsibility to respond to a data subject access request. DVW must not send a response without the approval of Gerlize de Villiers.
Data subject access requests must be complied with promptly, and in any event, within one month of the request being made. This time will only ever be extended where DVW believes that the request is unusually complicated. This decision can only be made by Gerlize de Villiers in conjunction with DVW’s external advisors and, if necessary, the ICO.
DVW is entitled to ask the data subject for further information to help us find the data requested. For example, DVW could ask for the dates an employee was employed by us or at which site they worked. The one-month period does not start until this additional information is received.
In accordance with the Data Protection Laws, DVW will not charge for responding to a subject access request.
DVW will always provide the data subject with the response to the subject access request in electronic form (via e-mail) unless the data subject specifically asks for it to be provided in an alternative form. DVW has an approved Subject Access Request Response that must be used for all formal replies to a subject access request.
Requests for access to special category personal data
All requests by external bodies, agencies or individuals for access to special category personal data shall be processed by Gerlize de Villiers with the assistance of external advisors, if required.