The General Data Protection Regulation (GDPR) will come into force on 28th May 2018. This replaces the existing data protection legislation and preserves existing rights but will provide new rights and enhanced protection for individuals. Failure to comply with the provisions of the GDPR may lead to greatly increased fines so any company processing personal data needs to be aware of the changes.
New data subject rights include the right to erasure, requiring a company to delete the personal data it holds. This data could include personnel records, computer data, CCTV, electronic access records, etc.
Individuals will also have the right to rectification of any inaccurate personal data.
Under the current regulations an individual can make a subject access request to find out what information a company holds them to verify whether it is lawful and correct. Under the GDPR the right to charge a fee for this information is abolished and the time to provide the information reduced to one month.
The GDPR allows companies to refuse to respond a such a request where it is manifestly unfounded or excessive, however they should seek legal advice before making such a decision.