The following was written by Sam Holt, International Engineering
Team Leader & Digital Forensics Pre-Sales at Exterro and posted on
his LinkedIn page.
It's true. A company (who shall remain nameless) tried to charge me
£216 ($296) to access the data they held about me on their systems.
I
was moving house not too long ago, and as part of the long and tedious
process, all documentation about every aspect of the property is
required by your buyers solicitors (and rightly so too).
I was
asked for a specific certificate relating to the installation of my
solar panels, and when looking through all of my documentation, I
realised I didn't have it.
No problems, I'll just contact them
and ask for it—I mean, it's MY data, its data concerning my address, my
first name, last name, my date of birth, copies of my photoID, driving
licence and documents I have signed. So I didn't think the company would
have a problem sending over this data.
It seems that the company
who installed the solar had gone bust—leaving behind a legal entity to
handle all of their clients requests. I think they were charging these
£250 requests to actually make up for the time they had to spend digging
out documents (digital searches), and time spend emailing it to me
(really????)
So I contacted them and asked for the certificate for the solar installation.
Their response absolutely astonished me!
So they had the information I required, but it was going to cost me
£216 to get it. I knew if I took them to court over it, the judge would
probably rule in my favour as the company would be asked to justify £216
for performing a simple last name search for my data in their system.
But this was a problem, I'm trying to sell one house, and buy
another—which is a complex process at the best of times with
solicitors/lawyers, estate agents, chains, and all sorts of other legal
hoops to jump through to satisfy a copy paste document with a legal
header on it.
I didn't want to add extra time and extra process
because I needed this document to proceed. I also didn't like being held
to ransom over this document, this company is preying on the needs of
people moving house because they know the document is absolutely needed
for proving the solar setup has been signed off by a competent engineer.
I felt like this was legal blackmail.
So I decided to exercise my rights within the GDPR. My right to a DSAR (Data Subject Access Request). This means that I can control the data a business holds about me, I can edit it if it is incorrect, ask the business to delete my data, and of course ask for a complete copy of my data. This is what I did.
I even cc'd the ICO casework email address on there too hoping for some impact. (The ICO is the UK Information Commissioners Office, these are the guys handling information breaches, GDPR breaches etc)
Did it work?
You bet it did. Within a few days I had a massive package arrive
through the mail. Every single sheet with my name on had been printed
out, placed into a box and posted to me.
Everything. Including the Certificate I needed!
If you are a business handling any data/PII (personally identifiable
information) then you will be pleased to know that there is a simpler
way of fulfilling these requests than using a windows search and
printing every document you find in the system. Head on over to Exterro DSAR Legal GRC Software Platform to find out more.
Thanks
for reading, I hope you found this article informative, please feel
free to like and share. Please leave me a comment if you wanted to give
me any feedback. I don't profess to be an expert in this field, this
article was generated using my own opinions, and does not reflect the
views of anyone else.