The General Data Protection Regulations (GDPR) will come into force across the European Union on 25th May 2018 and will replace the existing Data Protection Directive 95/46/EC. It will introduce substantial changes to data protection law and in particular tough financial penalties for those who do not comply.
Many businesses will be mindful of their general obligations under the current data protection regime including dealing with data access requests currently under Section 4 of the Data Protection Acts 1988 and 2003 which are becoming more popular than ever. The new timescales will try to ensure there is no undue delay and requests must be concluded within one month (currently 40 days). There will no longer be a charge to process an access request unless it can be shown that the cost will be excessive (the current charge is 6.35).
Businesses will have also have some grounds for refusing to grant an access request if it is deemed manifestly unfounded or excessive however proper policies and procedures will need to be in place clearly highlighting the criteria for refusal and why the request meets these criteria.
Those seeking access requests will also be entitled to information such as data retention periods and the right to have inaccurate data corrected.
Many organisations are seeing an increase in these access requests and are unsure how to deal with them. The impending changes cannot be ignored and businesses will need to be prepared especially if they deal with a large volume of requests. Now is the time to start putting those steps into place. The Office of the Data Protection Commissioner have published a useful guidance note on the GDPR and how to prepare for it. A copy is available to download here.