Right to Access Under GDPR
“Right to Access” is a core concept of digital consumer protections like GDPR. As it relates to digital privacy and transparency, Right to Access can be described as a consumer’s right to know what information an organization is collecting about them, how it is being used (processed), and for what purposes.
According to Article 15 of GDPR, a user may request to access all of their personal data, information about that data (metadata), and information about how it is being used by the organization. For businesses who collect and process user information (data processors), this means taking steps to ensure that you’re able to:
- Respond to information requests lawfully
- Handle the necessary volume of requests
- Have an adaptable process for compliance
Right to Access requests are a key tool for the enforcement of GDPR, as an access request can trigger an audit of an organization’s compliance in other areas covered by the regulation, leading to even greater potential penalties.
What is Right to Access?
Article 15 of GDPR (Right of access by data subject) describes the necessary considerations of Right to Access, and the list is significant. While it may seem like a daunting amount of information to be able to provide to a user at the drop of a hat (specifically within one month of the request as per Article 12), with a bit of smart planning you can ensure your organization’s ability to comply.
Data Copy Access
Article 15 also tells us that data subjects have the right to download or be provided a copy of all of the information that a processor has about them. While users should be able to access their data once for free, organizations may charge a “reasonable” administrative fee for additional copies. If a request was made electronically, the data should be provided in a “commonly used electronic form.”
This section of Article 15 is important in making sure that a user is able to request the updating or rectification of data about them. If a data subject finds discrepancies or inaccuracies in the data collected, they must be able to request the rectification of that data per Article 16.
Third Country Data Security
Under GDPR, "third countries" are referred to as countries outside of the EU that do not fall under the purview of GDPR. For example, the United States could be considered a third country if an EU organization were to share data with a partner company in the US.
Users have the right to request information about the measures taken to protect their data while being shared with processors in third countries. You must be able to provide information about the security steps taken in regards to Article 46 (transfers subject to appropriate safeguards).
If you are sharing or are planning on sharing data with a processor in a third country, you need to make sure to comply with the appropriate security measures as outlined in Article 46, and be ready to describe those measures to users upon request.
Enforcing Right to Access
Under GDPR, it’s individual users who have the tools for enforcement. It’s unlikely that any organization (save for a very large few) would be singled out for an audit without first being the subject by a data access request. A complaint from a user is the most likely event that will trigger an audit by a supervisory authority.
What this means is that once a request for access by a data subject comes in, you need to be ready to comply in a timely manner. If you can’t comply with an access request within a month, or if you’re found to be in violation of any aspect of GDPR, a user could lodge a complaint, leaving your organization at risk.
Another threat brought about by GDPR is the rise of “GDPR trolls,” or individuals less concerned about their personal privacy, and more interested in harassing and gaining settlements from companies who are found to be in violation.
Preparing for Right to Access
Whether as a result of malicious harassment or legitimate requests by users, if the volume of access requests becomes such that you can’t effectively “scale” the administration of them, they could become expensive in other ways. If you don’t have a plan and a process for handling requests quickly and easily, the organizational and administrative burden could place huge stress on your business.
Due to the amount and complexity of information that’s necessary to be provided in the event of an access request, you need to know exactly where to find all of the relevant information and maintain it in a readily-sharable format. Whether this is a prescribed method that’s documented and included in employee training, or an automated process allowing employees to easily “export” necessary information via an application, it’s vital to know exactly how you’ll react when you receive your first personal data access request.
Final Considerations
Ultimately, the privacy and safety of your users’ data should be a top priority regardless of the regulatory measures in place. The legal framework set forth by GDPR only further solidifies the motivation for companies to take the necessary steps to protect personal data. With that in mind, understanding Right to Access is essential in making sure that your organization is taking the right actions now to prevent problems later.
Since Right to Access requests are the primary tool for GDPR enforcement, it’s important to make sure that your organization is adequately trained and prepared to handle a potential deluge of access requests. Make sure to consult with a legal regulatory expert when creating your plan. While GDPR and regulations like it present a fair amount of business risk, organizations should not shy away from tackling compliance head-on and working to create a plan right away.
Cuttlesoft is a digital product development agency with expertise in data privacy and security. Find out how we can help.