EU Data Protection Regulation â Subject Access Request

A lot has changed in the world since the EU Data Protection Directive was first introduced in 1995. The internet was just beginning and much less data was stored and transferred electronically than today. It is no surprise then that the legislation is being updated to meet the challenges of how global business is conducted in the 21st century.

The Data Protection Act of 1998 followed the EU Directive and one of the key rights for individuals was to give them access to their personal data on request. By making a “subject access request” any individual can request all personal data held about them to check the accuracy. The current Act states that the data controller can charge a fee of up to £10 when supplying individuals with a copy of their personal data. The £10 fee does not cover the cost of collating and supplying the information but does, at least, act as a small check to discourage frivolous or vexatious requests.

Under the new proposed EU Data Protection Regulation, organisations would have to supply this information free of charge.

In 2009, the Ministry of Justice estimated that UK businesses spend £50 million a year in fulfilling subject access requests through additional manpower costs alone. If the ability to charge for a request is removed then this figure could increase massively and put a huge financial burden on UK companies.

If we consider that the volume of data held by organisations now is significantly greater than when the original Directive was passed in 1995 and the fact that collating all the personal data relating to an individual is more difficult now than it ever has been, then removing the charge for a subject access request would seem to be the exact opposite of what is required.

Some organisations hold a vast amount of personal data in many different formats and in many locations. You have live data that might be online and backup archives in various formats. Much of this data in the past would normally have been in a structured format such as a database. This made searching the data simpler. Now data controllers have to deal with unstructured electronic data, such as emails, with no indexing and try to identify what data refers to the individual and therefore falls within the definition of personal data. Consider an organisations’ email records. One person might be referenced in these emails by many different names. Not only that but these emails also might refer to other records stored in other formats i.e. paper files.

On the positive side, the proposed Draft Regulation does allow the data controller to provide the personal information asked for in a subject access request to the data subject in electronic format, if the information is held electronically and the data subject agrees. This makes perfect sense and would save a lot of unnecessary printing of information which when received by the data subject may be then transferred back into electronic format.

One of the aims of the changes in the draft Regulation is to put all EU countries on a consistent footing, but removing the charge for a subject access request surely cannot be good for anyone.