The second blog post in our series on GDPR rights is about the access right. See here for the first blog post on your right to be informed.
The right to access your own personal information has existed in the UK since 1984. It is considered a cornerstone of privacy law and is often the main way to understand exactly what information an organisation holds about you, and what they are doing with it.
GDPR only changes small details of this right. You will continue to have the right to know if the organisation does hold your personal information and, where it does, to also know the following.
The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains the exemptions in current law that mean that an organisation may not have to provide certain personal data, or may not have to provide your personal data in certain circumstances.
The organisation also still has to be able to verify your identity before providing you with personal information.
GDPR also requires organisations to tell you the following.
Under current UK law, an access request has to be in writing, but that does not appear in GDPR or the UK’s draft Data Protection Bill. The main impact of this will be that you can make a request over the phone or in person. In reality, though, dealing with the request and responding will inevitably be in writing, but it removes a barrier to making the initial request. Organisations have always had to make reasonable adjustments for disabilities under other law, so it won’t have much impact if this is the reason for not being able to make a request in writing.
Under current UK law organisations have 40 calendar days to reply to you and can charge you a fee of up to £10. Under GDPR the organisation has to respond ‘without undue delay’ and within one month at most, and they cannot charge a fee.
However, if you request further copies of your information, the organisation can charge you a reasonable fee based on administrative costs. Organisations can also charge for ‘manifestly unfounded or excessive’ requests.
The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.
If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO).
Not a lot has changed with this right. The main change is that you should get more information from the organisation about what it’s doing with your information, you should get it quicker, and for free.
If you want to make an access request just email firstname.lastname@example.org. You can also make an access request by contacting our Customer Services team or through our social media accounts. We will send any requests to our data protection officer, so the quickest way will be the privacy email.