Why do we need a Data Subject Access Request Policy?

As of 25 May 2018 the UK’s, and Europe’s, laws regarding data protection will undergo a substantial change as a result of the General Data Protection Regulation (GDPR), and the Data Protection Act 2018 which is the UK’s legislation mirroring GDPR.

Amongst the many changes brought about by GDPR and the Data Protection Act 2018, one of the most notable is the ability for data subjects to more easily access the personal data a business holds about them. In addition, the deadlines for responding to any requests are very short and failures to respond within the set deadlines or with the correct information could lead to substantial fines and reputational damage for ESP.

By following this simple process, we can ensure that any subject access requests we may receive are dealt with by the appropriate people within ESP and within the timescales set out in the law.

What is a Data Subject Access Request?

A data subject access request is a request by a person for ESP to send to them copies of some, or all, of the personal data ESP is holding about them. Data subject access requests can take any form, including over the phone or in person, so we must be alert to when one may have been made.

A subject access request entitles the data subject to information which contains their personal data. It does not entitle the data subject to all word documents, e-mails etc. which they were copied in on, or which relate to work or projects they were involved in. Where a document contains personal data but also information about other third parties which should not be disclosed in accordance with the above considerations, or contains information which is not personal data, then the document can be provided to the applicant with the information which is not their personal data redacted (blacked out) of the document.

We have prepared a data subject access request FAQ that is attached to this policy that answers the most common questions people may have about data subject access requests.

Responding to a Data Subject Access Request

If you have reason to believe a data subject access request is being made (for example, during a phone call) then you should attempt to clarify whether or not the person you are communicating with is, in fact, making a data subject access request. At the very least you should make a clear note of the person’s name, contact details and date and time of the call so that we can correspond with them regarding the request they may have made.

Once you are confident that you have received a data subject access request, or are unsure whether or not one has been received, you must immediately speak with Peter Byrne or, in Peter’s absence, ESP’s Operations Manager, who will take responsibility for processing the request. The timescales for responding to a data subject access request are very short and we will need as much time as possible to deal with the request properly. A failure to respond within a month could result in ESP being subject to substantial fines and reputational damage.

You must provide Peter and the Operations Manager with any support they request in respect of responding the request, including providing them with copies of any notes, emails or correspondence you have had with the person making the request.

It is Peter Byrne’s responsibility to respond to a data subject access request. We must not send a response without the approval of Peter Byrne.

Data subject access requests must be complied with promptly, and in any event, within one month of the request being made. This time will only ever be extended where ESP believes that the request is unusually complicated. This decision can only be made by Peter Byrne in conjunction with ESP’s external advisors and, if necessary, the ICO.

We are entitled to ask the data subject for further information to help us find the data requested. For example, we could ask for the dates an employee was employed by us or at which site they worked. The one-month period does not start until this additional information is received.

In accordance with the Data Protection Laws, ESP will not charge for responding to a subject access request.

ESP will always provide the data subject with the response to the subject access request in electronic form (via e-mail) unless the data subject specifically asks for it to be provided in an alternative form. ESP has an approved Subject Access Request Response that must be used for all formal replies to a subject access request.

Requests for access to special category personal data

All requests by external bodies, agencies or individuals for access to special category personal data shall be processed by Peter Byrne with the assistance of external advisors, if required.