Since GDPR came into force on 25 May, the following changes took place in relation to data access requests:|
- The fee for data access requests no longer applies.
- Businesses must respond to data access requests within one month. The request may be extended for up to two additional months if it is complex and excessive. It is essential to keep the data subject informed of any extended timeframes to their request.
- If the data access request has been made electronically, e.g.: email or web form, then the response must be sent electronically unless the data subject requests otherwise.
- Businesses may charge a reasonable fee for administrative costs if the request is found to be excessive.
- Businesses may have some grounds to refuse a data access request if it is “unfounded or excessive”. Your business will need to have a clear policy that details the grounds and procedures for refusing this type of data access request.