In this week's edition of the GDPR Overview blog series we will cover individuals' right to access and their right to rectification.
What do these two rights mean?
The right to access means an individual is able to request to view their personal data that you have and make sure you are processing this data in a lawful way.
The right to rectification means an individual is able to request that their information be updated to either correct an error or to reflect a change to their current situation.
Access to Personal Information
So, what kinds of information do individuals have the right to access?
When making their data access request, an individual is able to request access to any of their personal information you are holding and/or processing. Personal information, as we have already learned, is any information that can be used to either directly or indirectly identify an individual, such as contact information, location-based information, or medical information. Individuals are also able to ask that you provide them with confirmation that their personal information is being processed.
When responding to a data access request, in order to comply with GDPR standards, you must be sure you have the appropriate resources and processes in place so your company can fulfill the request within one month (at the latest) of its receipt. However, should this request be overly complex in nature, you may be able to extend this deadline by up to two months by informing the individual before the original one-month timeline is up and explaining why you need to extend the deadline.
Under GDPR you are also not permitted to charge for these access requests unless the request can be proved to be excessive or unreasonable. Any fee must reflect the amount of administrative effort or cost required to provide the information. A reasonable fee may also be charged for any extra copies of the information requested through the same access request.
Upon the fulfillment of a data access request, under GDPR you are required to provide this information in a clear, concise manner and in a format that is commonly used (such as Microsoft Word or Excel for online responses). You must also make certain you can verify the identity of the individual requesting the data so you can be sure you are providing the information to the appropriate person. This must be done through reasonable means, such as the provision of an ID number or other piece of information only they would have access to, for example.
The right of individuals to have access to their personal data is important so they can verify this data is not only correct and up to date, but that it is being used for the purposes for which it was given. This right increases the accountability to the data controller and processor to make sure personal data is processed and used correctly and is not abused by an organization, thereby ensuring security and privacy levels are upheld and respected to the utmost.
Correcting Personal Information
Coinciding with the individual's right to access their data comes their right to ensure this data is correct and complete.
An individual can request that your organization correct any of their data that you have or are processing that is inaccurate or misleading. They can also ask that any incomplete data be completed. These requests for rectification or completion can be either given in writing or verbally. As a general best practice, it is recommended you keep a record of all verbal requests received to cover your bases and be sure the request in fulfilled on time.
While it should already be common practice to ensure all data you collect is correct before it gets processed, it is wise to hold off on the processing until you can be reasonably certain the data is accurate. Under GDPR you are required to reconsider the accuracy of the data if asked to do so by an individual, whether or not you believe the data to already be correct. Individuals have the right to provide you with evidence and justification as to why their personal data should be rectified and you must make the effort to complete their request – especially if this personal data is being used in order to make decisions that directly affect them.
OK, so you've received a valid rectification request, how long do you have to comply?
From the moment you receive a request for rectification from an individual, you will have one month to comply. However, if the request is very complex or if multiple requests are received from the same person at once, you may extend the rectification period up to two months longer – provided you inform the individual within the original one-month timeline and give a justification for the required extension.
Communication with the data requester is key. Being upfront with the individual and providing updates on their requests can instill credibility and will help you comply with their right to be informed – the topic covered last week. Whether the individual is requesting access to their personal data or whether they are looking for mistakes to be fixed or information to be completed, it is important as a data controller or processor that you make every reasonable effort to comply within the required time period. Luckily, many organizations have processes in place to ensure data accuracy before processing as well as processes to allow access to the data by appropriate individuals. GDPR in many cases only solidifies the need for these processes to assure greater power is given to individuals whose data is being collected and processed.
Next Week in the GDPR Overview Series…
That's it for this week's edition of the GDPR Overview blog series. Next week, we will cover three more individuals' rights under GDPR: the rights to erasure, to restrict processing, and to object to processing.