GDPR compliance priorities for 2024
Right of access under GDPREarlier this year, the European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) for 2024, which will focus on the right of access.
This means that organisations can expect data protection authorities to prioritise enforcement against GDPR infringements relating to data subject access requests.
This alert will help you check that your organisation’s data subject rights process is up to standard.
What is the right of access?
The right of access of article 15 GDPR is one of the most frequently exercised rights and a common source of complaints received by Data Protection Authorities (DPAs). Its aim is to allow individuals to check organisations are lawfully processing their personal data. This often helps individuals exercise other data protection rights like rectification and erasure. As a result of its significance in data protection, during its October 2023 plenary, the EDPB chose the right of access as the focal point for its third coordinated enforcement action.
What will the Coordinated Enforcement Framework do?
Throughout the year, 31 DPAs across the EEA will participate in the CEF to assess how organisations are complying with the right of access in practice.
The EDPB released Guidelines on data subject rights – Right of access in 2023 (the Guidelines), and participating DPAs will gauge compliance with the Guidelines by:
- sending questionnaires to organisations for fact-finding purposes or to determine if a formal investigation is warranted;
- initiating formal investigations; and/or
- following up on ongoing formal investigations.
Based on our experience with the EDPB's previous coordinated enforcement actions, organisations can also expect some DPAs to expand other investigations into other (unrelated) areas of GDPR compliance to include a review of the right of access process.
DPAs will work together to analyse the results of this joint effort to determine potential supervision and enforcement measures. The EDPB plans to publish a report on the final outcomes.
You can read the EDPB’s announcement on CEF 2024 here.
Important takeaways from the Guidelines on data subject rights
Aim
- The Guidelines note that the purpose of the right of access is to provide individuals with sufficient, transparent, and easily accessible information about their data processing, regardless of the technologies used, and to enable them to verify the lawfulness or accuracy of the processed personal data.
- Given the broad aim of the right of access, the Guidelines state that controllers should not analyse why a data subject is requesting access to their personal data; they should in principle only assess what personal data they hold relating to that individual.
Content
- The Guidelines clarify that the right to access has three components:
- confirmation as to whether data about the person is processed or not;
- access to this personal data; and
- information about the processing as outlined in Articles 15(1) and, where applicable 15(2) of the GDPR, such as the purpose, categories of data and recipients, duration of the processing, data subjects’ rights, and appropriate safeguards in case of third-country transfers.
- A number of good practices have been identified, such as confirming receipt of a request to the data subject, with an indication of the response time.
- Particular attention is paid to the identify verification measures to be applied by the controllers before responding to an access request.
Form of response
- Unless explicitly stated otherwise, an access request should be understood as referring to all personal data concerning the data subject, and the controller can ask the data subject to specify the request if they process a large quantity of data.
- The main way to provide access is to give the data subject a free copy of their data, but the Guidelines clarify that this obligation to provide a copy is not to be understood as an additional “right to a copy” of the data subject.
- Article 12(2) of the GDPR requires controllers to present an individual’s personal data in way that they can easily understand. The Guidelines outline that this may be difficult when dealing with a large amount of data. They recommend a layered approach rather than delivering all the data in bulk.
How can organisations prepare?
Organisations should ensure they comply with the Guidelines 01/2022, which provide precise guidance on how the right of access has to be implemented in different situations. We recommend organisations consider the following compliance actions:
- Audit the existing data subject request process to identify areas of improvement, both in terms of compliance and efficiency.
- Update and/or further develop the data subject request procedure, including a comprehensive set of response templates to avoid incomplete or inadequate answers which may increase litigation risk.
- Review the appropriateness of the identify verification measures in place for each of the relevant categories of data subjects.
- Train your organisation, involving not only request handlers but also people likely to receive requests (eg administrative staff, customer service, HR).
If you have any queries about how to prepare for the CEF 2024 or about responding to an access request, get in touch with your usual DLA Piper data protection contact.