The following was written by Sam Holt, International Engineering Team Leader & Digital Forensics Pre-Sales at Exterro and posted on his LinkedIn page.
It's true. A company (who shall remain nameless) tried to charge me £216 ($296) to access the data they held about me on their systems.
I was moving house not too long ago, and as part of the long and tedious process, all documentation about every aspect of the property is required by your buyers solicitors (and rightly so too).
I was asked for a specific certificate relating to the installation of my solar panels, and when looking through all of my documentation, I realised I didn't have it.
No problems, I'll just contact them and ask for it—I mean, it's MY data, its data concerning my address, my first name, last name, my date of birth, copies of my photoID, driving licence and documents I have signed. So I didn't think the company would have a problem sending over this data.
It seems that the company who installed the solar had gone bust—leaving behind a legal entity to handle all of their clients requests. I think they were charging these £250 requests to actually make up for the time they had to spend digging out documents (digital searches), and time spend emailing it to me (really????)
So I contacted them and asked for the certificate for the solar installation.
Their response absolutely astonished me!
So they had the information I required, but it was going to cost me £216 to get it. I knew if I took them to court over it, the judge would probably rule in my favour as the company would be asked to justify £216 for performing a simple last name search for my data in their system. But this was a problem, I'm trying to sell one house, and buy another—which is a complex process at the best of times with solicitors/lawyers, estate agents, chains, and all sorts of other legal hoops to jump through to satisfy a copy paste document with a legal header on it.
I didn't want to add extra time and extra process because I needed this document to proceed. I also didn't like being held to ransom over this document, this company is preying on the needs of people moving house because they know the document is absolutely needed for proving the solar setup has been signed off by a competent engineer.
I felt like this was legal blackmail.
So I decided to exercise my rights within the GDPR. My right to a DSAR (Data Subject Access Request). This means that I can control the data a business holds about me, I can edit it if it is incorrect, ask the business to delete my data, and of course ask for a complete copy of my data. This is what I did.
I even cc'd the ICO casework email address on there too hoping for some impact. (The ICO is the UK Information Commissioners Office, these are the guys handling information breaches, GDPR breaches etc)
Did it work?
You bet it did. Within a few days I had a massive package arrive through the mail. Every single sheet with my name on had been printed out, placed into a box and posted to me.
Everything. Including the Certificate I needed!
If you are a business handling any data/PII (personally identifiable information) then you will be pleased to know that there is a simpler way of fulfilling these requests than using a windows search and printing every document you find in the system. Head on over to Exterro DSAR Legal GRC Software Platform to find out more.
Thanks for reading, I hope you found this article informative, please feel free to like and share. Please leave me a comment if you wanted to give me any feedback. I don't profess to be an expert in this field, this article was generated using my own opinions, and does not reflect the views of anyone else.