The second article in our series on GDPR rights is about the access right. See here for the first article on your right to be informed.
Part 2: The right to access
The right to access your own personal information has existed in the UK since 1984. It is considered a cornerstone of privacy law and is often the main way to understand exactly what information an organisation holds about you, and what they are doing with it.
GDPR only changes small details of this right. You will continue to have the right to know if the organisation does hold your personal information and, where it does, to also know the following.
- What personal information they have, and a copy of it.
- What they are doing with it.
- Who or what types of organisations they have disclosed (or may in future disclose) your personal information to.
- Where they got your personal information from (if it wasn’t directly from you).
- Whether they have done any automated decision-making with your personal information and the logic involved. (GDPR also adds: the consequences of this activity for you).
The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains the exemptions in current law that mean that an organisation may not have to provide certain personal data, or may not have to provide your personal data in certain circumstances.
The organisation also still has to be able to verify your identity before providing you with personal information.
GDPR also requires organisations to tell you the following.
- Where possible, how long they will keep your information for, or the criteria they use to decide this.
- You have rights to request correction or deletion of your information, have its use restricted or object to the organisation holding and using it.
- You have the right to complain to the regulator – in the UK this is the Information Commissioner’s Office.
- If they send your information outside the EU, what safeguards they have in place.
Under current UK law an access request has to be in writing, but that does not appear in GDPR or the UK’s draft Data Protection Bill. The main impact of this will be that you can make a request over the phone or in person. In reality though, dealing with the request and responding will inevitably be in writing, but it removes a barrier to making the initial request. Organisations have always had to make reasonable adjustments for disabilities under other law, so it won’t have much impact if this is the reason for not being able to make a request in writing.
Fees and timescales
Under current UK law organisations have 40 calendar days to reply to you and can charge you a fee of up to £10. Under GDPR the organisation has to respond ‘without undue delay’ and within 1 month at most, and they cannot charge a fee.
However, if you request further copies of your information, the organisation can charge you a reasonable fee based on administrative costs. Organisations can also charge for ‘manifestly unfounded or excessive’ requests.
The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.
If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO).
So what does all this mean?
Not a lot has changed with this right. The main change is that you should get more information from the organisation about what it’s doing with your information, you should get it quicker, and for free.
What is Yoti doing?
If you want to make an access request just email firstname.lastname@example.org. You can also make an access request by contacting our Customer Services team or through our social media accounts. We will send any requests to our data protection officer, so the quickest way will be the privacy e-mail.
You can read our first article on your right to be informed here.