This is the fifth in a series of 12 posts with some advice from the ICO on how to start preparing for the advent of the GDPR in May 2018.
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable so the logistical implications of having to deal with requests more quickly and provide additional information will need thinking through carefully. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online. Organisations should consider conducting a cost/benefit analysis of providing online access.
For more details go to the Information Commissioners Office here
Source: ICO – Preparing for the General Data Protection Regulation