It’s a question many UK businesses thought they had answered in May 2018 when the new regulations came into force amid a blaze of publicity.
The temptation may be to put it on the back burner – but the fact is GDPR is an on-going issue and a subject that businesses need to continually work on and review.
For instance, a growing number of companies are now receiving subject access requests.
Under the legislation your prospects, clients and staff have rights to access or erase their personal data, correct inaccuracies and object to processing.
The £10 fee to access personal data has now been abolished and that is being seen as a major reason for the rise that we are seeing. However, there are also reports of companies also receiving “nuisance” requests.
Against all this background it is important that businesses understand the processes to follow if a request is received.
You have only 30 days to respond, so it is vital that you have a process to enable you to find, pull out and send the data as required within that timescale.
There can also be wider implications.
What is your data retention policy? Are you holding onto information for longer than you should?
What is your email policy? If you receive a request how easy is it for you to pull out all the necessary emails?
Does your data contain details about other people and organisations, or personal opinions?
Dealing with subject access requests highlights just some of the many issues we help our clients resolve.