Hi and Welcome back. This time we're going to be talking about continuing our journey through rights by talking about what we call in Europe data subject access requests or DSARs access to information requests essentially, where the individual can ask for exactly that, a copy of their information. I think this is perhaps one of the most important rights because if you don't give them the information or don't tell them what information they've got, they can't claim the rest of their rights. As we said before, generally speaking rights, it's free and that's a real interesting one there. There used to be laws around the globe where it can cost you an amount of money, organizations can charge administrative costs. But that's considered a barrier to a free and fair human right. Generally speaking, now we've moved these rights to be free. But even in those organizations, there are charges for repeated copies and there is the ability to deny requests that are manifestly unfounded, that are not for the right purpose. The purpose of these request is to pursue your information rights. If you're using it to annoy an organization or to just wind an organization up as part of a targeted campaign, then you could consider that request to be unfounded. Really interesting about when you might deny an access request. Generally speaking, again, I'm talking about Europe here. These time limits do change across the globe, but in the GDPR, you've actually got a calendar month, so putting only access requests in February, a couple few days less there. They can come back to you and say, "Hey, who are you? Let's verify your identity." I'll ask you for enough information to help you find it, but I'm generally allowed to ask you why. Then why you want the request is one where it has to be irrelevant to your purpose blind, and they certainly can't use that to reduce the scope of the data. Your right under law is for all personal data that they hold up on you. I object to it when organizations come back to you and say, "Yeah, what do you really want? We only want to give you a little bit. Let's make it easy for ourselves." No. I want all personal data you hold on me. Give me all of the personal data you hold on me and off. To me, they're then going to supply information that allows you to interpret and explain that data, and you've got to inform you of further rights of the White House as well. Those further rights are going to generally follow on. We need the right transparency road to that. We need the right of access in order to pursue our other rights of rectification, objection, erasure, portability. If we don't know what data people are holding, then we don't know if it's correct or the right amount, or no whether we need to make a complaint, for example. It really important fundamental right. Generally speaking, that means you've got to have a process within your organizations. You've got to have a process to understand when you receive a request. That can be quite difficult thing because a lot of organizations have got non-legal information disclosure provisions in place. You can phone up and ask for your bank balance. It's your bank. You can use an app to find out what your bank balance is. That's part of the service. That's not an access request. What point do we go from someone just changing their name and address to a formal request for rectification? At what point do we go from someone else need from their bank account balance to a formal request for all of their data under the Data Protection Legislation? Really interesting decisions that an organization have got to make about whether they consider this a formal access request because it's supposed to be a formal access request. I don't even really believe they've got to mention the law. I believe I say, I want access to all of my personal data. That's my right. It doesn't matter if they quote the right sections of the law or not. We've got to train our staff to understand, what do they go on first of all? Yeah, because if the individuals sent in all of their ID and whatever they need for their you to find the data on day 1, well, it started. It doesn't matter whether it's coming for a chat window or through Twitter, or through Facebook, or through an email, or through the post. You've got one, and you've got to respond. That means you've got to record it. You got to record that you've got someone, and then you've got to understand the individualist who they say you are. You've got to go for that process of validation if you like, or re-identifying the individual, understanding exactly what that individuals what they say is that they have the rights that they're claiming and that you're going to respond to them, then you'd probably need to communicate. That side is always like, "Hey, we've received your request. We're going to go ahead and process it. We're going to give you all the data you are legally entitled to." Then you've got to go out and find that data. You've got to request the data, and this time you're leaving just a hotbed. Hopefully, you should have some data inventory and understand where your data is normally anyway. But it can be hard to go to these departments to give you the data back. Whether they are there in a processor or in a subcontractor, or if it's an electronic form or manual form or a CCTV tape or microfilm, you're going to have to go out and find that data. The good argument for data minimization in my book to actually make sure that you're going out and getting the data. Then once the data gets back, well, what are you going to do with that data? You've got to really come up with some sort of response. You've got to organize the data in some way that's meaningful for the individual and yet that might also mean that there might be data in there that you don't want to give out, that you need to redact, because there's some legal exemption you can claim, or because it infringes on the rights and freedoms of others. You might be disclosing other people's personal data in their social and personal capacity. We might have to go through a reduction process and decide what it is you want to include, what it is you want to exclude, and of course you're going to justify that. You're going to have to document that. If there's questions later on, you're going to need to do an audit trail here, a decision-making trail about why you chose to give out, why you chose not to give out certain pieces of data. So you've got to have this process that has got this reduction liability. Who's going to do that? Is it going to be the privacy officer who does that? Is it going to be frontline customer service who does that? Do you need lawyers involved? Do you need technical assistance involved? If it's a CCTV requests, do you need to redact or edit CCTV footage or blur out other people? Do we need technical expertise to do that? Do we need to translate into a different language? Actually, think about exactly all of those ways that we need to respond to different requests. Creating an audio transcript of the audio recording, or are we going to give them the audio files? Lots of interesting information to think. Then finally, we're going to respond. Within the timeline, we've got to communicate back to the data subject the individual, "Hey, here's your personal data." How are we going to do that? How are we going to transmit that data or respond to them in a way that they're comfortable with? If they are an old lady who's coming with a telephone request, they might not have email, they might not be able to use encryption tools or technology solution might not be appropriate. You might have to go with a manual disclosure. If you're going to go over electrolyte disclosure, well, how would you do that? Do you send it via email? Do you pass or protect it? Do you encrypt it? Do you have a secure portal they can come and login to? You need to make sure that data transfer is secure and going to the right person and not disclosed out to someone who it isn't. You must then make sure that information has been given structure to allow them to understand it. If you're using technical terms internally, well, what are those technical terms? So a number of considerations here, huge amount of considerations to think about here. Who's responsible? You're going to have a process here, that outlines, who's responsible for fielding these requests? You're going to have to have training and procedures into how to recognize one and how to deal with some. What authentication methods are you going to use? Not beyond the normal authentication methods you would do use, I would say. How are you going to record or document these requests to keep a log perhaps, and make sure you have in the timeline, when is it received? When did you respond? When did you ask for the information? When did you receive the information? What have you redacted? All those sort of things. How are you going to receive them? Are you're going to have an online form, or how you're going to deal with them when they come in in different formats, for example? What types of data you're not going to disclose? When are you going to claim those exemptions? How long are you going to take? I mean, there are actually a limited exemption, and I do mean a limited exemption, under the GDPR, and again, legislation differs massively across the globe. The complex subject access requests. What is a complex access request? Who knows? You are actually allowed to extend it by up to another couple of months, where it is complex. But then you must make sure in those terms that it is complex, be able to defend your action about why it's complex, and perhaps give them the amount of data you can give them as early as you can. It's interesting. What about if it is a third party that's made the request? For example, how are you going to authenticate a law firm acting on behalf or technology company acting on behalf of an individual? There are actually companies out there that will make requests on your behalf. Great, but does the individual know that they could do it themselves for free, right? So are they actually acting on behalf of the individual? Difficult questions to answer? The process that needs to take into account who we've given it to as well. You always have to give them a privacy notice in addition to the access request in order to tell them the data about the data. What the data means? What rights might they have next? What could they do with the data? Where does it go? Where does it come from? What's the legal basis? What international transfers? All the stuff you would tell them on the privacy notice, you've actually got to give them at the same time as they're access requests. Then what's the procedure where they don't agree? What's the procedure if they want to update or change the data or you ask you to erase the data or to delete the data or what do they do then here, can they do it themselves with some self-service system? What happens if they want to make a complaint? What happens if you don't agree on a way forward? So we need a lot of information to communicate here, a lot of information to communicate. We've got to be aware of all the exemptions as well. This is the UK exemptions, your own law will probably have different exemptions, but just some examples from the UK Data Protection Act here about some subject access exemptions, we've got exemptions around. If you would prejudice the detection of a crime, makes sense. If it's an examination script or a confidential reference or negotiations for a Pre-Contract, a legal professional privilege, management forecasting of a historical research purposes that isn't attributable to individuals, a number of different exemptions there. As I said, your own national law will have its own exemptions. Which means your process needs to think about how you're going to check it for those exemptions and if you are or aren't going to give it out. As I said before, you will also need to give them a lot more than just the data. The first thing that you need to tell them, and this is actually quite often missed is that you are processing data or you are not processing data. You would say, "I am or I am not processing data on you and how you can access it." Then all that other information you would give them in the privacy notices. What purposes you're going to use it for, what types of data, who you might give it to, how long you going to keep it, what rights they might have, if you didn't collect it yourselves, where you got it from? That's the interesting part of the right. If you're using AI or automated decision-making, how are you going to secure it? Then finally, last but not least, a copy of the personal data. An awful lot there I talked about in an awful short space of time. Actually, there are people who do week-long courses on nothing but how to answer a request, so you are not an easy or thing to cope with in a 10 minute course. But for the exam, you're definitely not a need to know that this request exists. This rights exists across different jurisdictions. You would have to have a process for dealing with it, and what the GDPR certainly says about what limited exemptions that might be or what the processes, and to just go back for a second, that process will include the idea of receiving a request, recording the requests, identifying the individual, going and getting the data itself, redacting or constructing that response, and finding a way to respond to the individual. Thank you, and the next section we're going to talk about it in terms of rights, is about Erasure rectification and objection, three really important rights that we're going to deal with next.
