What is the General Data Protection Regulation?
Since May 25 2018, the General Data Protection Regulation regulates all activities involving the personal data of EU citizens.
The GDPR covers multiple aspects of data protection, privacy, cybersecurity and information rights. There is the right to question an organization about the possession of one’s personal information. Everyone has and can exercise “the right to be forgotten.” There are strict cyber-security requirements (mandatory data encryption, data security measures, report of breaches, informing subjects of data breaches, etc.), data processing rules, the need to redact or pseudonymize sensitive information when there is no explicit need to store such information and the need to ask for and save prior consent before certain personal information is collected and stored.
What does the Right of Access mean?
EU GDPR Article 15 states the "Right of access by the data subject"
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
What is a Data Subject Access Request (DSAR)?
An individual can submit a Data Subject Access Request (DSAR) - which can be up to 80 pages long to specify the information sought - to any organization. The organization has to comply within 30 days. DSARs are often followed by a “Right to be Forgotten Request” on reported information.
A typical DSAR consists of the name of the person (including various spelling variations and nicknames) and all related information the requester is interested in (such as data related to a job or credit application). Or if the requester is a former employer, all the projects he or she participated in, and all communications about the requester with other employees and even people from other organizations. A simple request can already involve a lot of data.
It gets more complicated when a former employee asks to access his PII. In this case, relevant data typically includes employment history, education, skills and qualifications, health information, performance data, pay history, disciplinary actions, bank details, next of kin details, etc. Some of this information will be stored in personnel files and payroll records, but even more will be stored as unstructured email data spanning possibly hundreds of mailboxes scattered all over the organizations.
Typical motives for a DSAR
- Transfer to another provider/supplier/dealer/employer;
- Privacy concerns;
- Employment related conflicts;
- Other legal matters.
Sometimes the reason for a DSAR is simple. A customer is switching to a different provider/supplier/dealer/employer. They, therefore, requests to retrieve and delete all of their personal data related to their purchase and shipping history with the company of which they are no longer a customer or employee.
Sometimes, a request is made out of privacy concerns. Individuals are now more aware of their rights and more concerned about data privacy. The number of organizations that are involved in data privacy issues and scandals is increasing exponentially. Concerned individuals submit DSARs to see what data of theirs is being collected, potentially at risk and whether they should follow the right to access with the right to be forgotten.
There is also an increasing number of DSARs being used as tactics by aggrieved ex-employees to cause maximum disruption to their former employers.
Global law firm Squire Patton Boggs reported in a recent survey, a particular increase in DSARs being used where an individual is facing a disciplinary or performance issue and wants to cause problems for the business or to get advance disclosure prior to raising a claim.
The survey states that a little less than a quarter (24.4%) of all respondents noted that DSARs involved employees seemingly just wanting to know what the organization has on record about them. However, 65.5% of the companies also report they had dealt with DSARs that were connected to a workplace issue (for example, grievance, redundancy, performance management, etc.), while specifically among the 64 companies identifying an increase in DSARs since the GDPR, 92% confirmed they had dealt with DSARs connected to a workplace problem.
Sometimes actual and potential litigants use DSARs or as a “fishing expedition” to obtain either pre-action disclosure or disclosure whilst proceedings are on-going.
What is a Right to be Forgotten Request?
Either subsequently or additionally, a data subject can request erasure of the data from a data controller, provided the data meets any of the following conditions:
- The data is no longer needed;
- The subject withdraws previously granted information to process their personal data;
- The subject exercises their right to object to the processing of their data;
- The data is unlawfully used by the data controllers and/or processors;
- Data has a legal requirement for retention;
- The data was collected when the data subject was a child.
There are some exceptions such as compliance, legal requirements to hold data or matters of national security or public interest, but one should not seek to use such exceptions lightly.
Data controllers are typically obligated to erase personal data “without undue delay” which means within a month.
What does Notification of Data Breaches mean?
Organizations must notify authorities of data breaches within 72 hours of discovery and keep records of all breaches. Data subjects must be notified of any breaches affecting their unencrypted personal data.
What are the GDPR fines?
Administrative fines can reach 20 million Euro or 4% of annual global revenue, whichever is highest.