Data subjects have had data protection rights for a long time before the introduction of the General Data Protection Regulation ("GDPR"). However, it is the GDPR that has brought these rights to the forefront of their attention and as experts in the data privacy legal world, we have managed several data subject access and erasure requests over the last 15 months.
In general, we advise organisations to first accept that data is not always an asset and instead can be a liability and we recommend that management embed an internal culture whereby everyone understands the risks that data brings and are mindful about the amount and formats in which they keep such data. In this short blog, we share with you some key advice on (a) what not to do and (b) how to manage and treat access and/or erasure requests.
What should you not do? How can you help your organisation to manage data better?
1. Do not underestimate if your staff (potential, existing or former), clients and/or suppliers would exercise their rights to access and/or erasure. Why? We have often found that potential and former staff alongside clients frequently make data access and/or erasure requests. Try to ensure that your engagement with all individuals is on the best possible terms, including where that relationship becomes challenging. The cost that you could incur due to an unhappy individual can be enormous and so much so, it can cause a real financial impact to your business (due to management time spent on dealing with the request and/or engaging with external lawyers to assist).
2. Do not discuss sensitive matters concerning data subjects (such as pay or disciplinary action) via email or on chat channels such as Microsoft Teams or Slack with anyone except the data subject, unless strictly necessary. Why? Sensitive matters should be managed in the utmost professional manner and failure to do so can result in serious issues for your organisation if a data access request is made by the data subject concerned.
3. Do not keep draft formats of information (i.e. word document, spreadsheet etc.) when final versions have been prepared (and there is no genuine reason why the draft version needs to be kept). Why? If you don't need the draft version, delete it and save your organisation from having to review and potentially disclose more data to a data subject if they make a data access request.
4. Do not share information such as attachments via email and instead try and share links to the cloud or a shared team drive. Why? If you have a data access or erasure request, you will need to compile all of the emails and any attachments which include the data subjects' data and will need to review it in order to determine if it is the same and/or disclosable. This is time that your organisation could otherwise save and be doing something far more valuable for its growth and development.
5. Do not create multiple versions of the same information (i.e. spreadsheets, word documents) and/or encourage staff to save things on their local drive. Why? Same as the reason provided above: you will need to review all of these versions in order to confirm that they are the same and whether any one of them needs to be disclosed.
6. Do not publish a Data Retention Policy for the sake of compliance and not fully implement and subsequently monitor it. Why? A Data Retention Policy is critical to ensure that your organisation retains certain data for legal and compliance purposes; any other data should be deleted when it becomes unnecessary for its purpose. It is imperative that your organisation ensures that data held is regularly reviewed and deleted when it is no longer needed. If your organisation fails to do this, it will have more data to review if a data access and/or erasure request is made and you will also be exposing your organisation to breaching other requirements under the GDPR.
How to treat access and erasure requests?
1. Data subject access and/or erasure requests must be acknowledged and managed seriously. Organisations that fail to respond to such requests can and will face enforcement action by the Information Commissioner's Office. In August 2019, Hudson Bay Finance Limited faced enforcement action due to failing to respond to a data subject access request (albeit this matter was investigated under the Data Protection Act 1998).
2. Data subject access and/or erasure requests should be handled professionally, diligently and quickly. Any correspondence concerning the data access and/or erasure request is disclosable (which means that when your staff are emailing internally about the request and gathering the data, these emails are disclosable to the data subject). The time period is very tight, and the request must be fulfilled within one calendar month of being received. There are circumstances when this one calendar month can be extended; however, as best practice and to minimise any potential complaint from the data subject to the Information Commissioner's Office, it is best to fulfil the request within one calendar month.
3. Be mindful that after fulfilling a data access request, you may receive a data erasure request from the same data subject. It is important to be aware of this prospect and to ensure that any data that you have provided upon a data access request is stored centrally and in one specific place, so that you can save some time in the instance that you receive an erasure request.
At Aria Grace Law, several of our lawyers are experienced data privacy experts and can assist your organisation if you receive a data access and/or erasure requests. We are able to provide guidance, support and fulfil both simple and highly complex data access and/or erasure requests under pressure. If you would like to find out more or instruct us to help you, please contact us on compliance@aria-grace.com.
Privacy Update by Puja Modha, Partner at Aria Grace Law 5.11.2019