On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some significant enhancements:
- The rules for dealing with subject access requests will change under the GDPR. The timescale for processing such requests will shorten, dropping significantly from the current 40-day period to a maximum of one month. There will be some grounds for refusing to grant an access request, such as where a request is deemed manifestly unfounded or excessive. However, we are required to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
- We will also need to provide some additional information to people making requests, such as our data retention periods and the right to have inaccurate data corrected.
What is UCC doing about this?
We are reviewing our policies and procedures to ensure they cover all the rights individuals have, including how to respond to access requests within the new timescale and how we would delete personal data or provide data electronically and in a commonly used format.
Existing information systems that hold personal data will be assessed to determine whether they have the ability to satisfy data subjects rights under GDPR i.e. delete/amend/rectify and transfer data in accordance with GDPR’s regulation. They will also need to be assessed to determine whether they satisfy the principles of privacy by design and default.