Right of access to personal data by means of a subject access request.
Right to rectification of inaccurate data.
Right to erasure, otherwise known as the right to be forgotten.
Right to object to processing.
Right to restriction on processing.
To respond to requests in a timely manner British Metals Recycling Association (BMRA) recognises the importance of a centralised, efficient information management system. It is reviewing how it organises and stores emails and texts to enable easy and efficient retrieval.
BMRA processes data in relation to its members, whether it be an organisation or individual, on a customer relationship management (CRM) system and a standalone accounting system. Both the CRM and accounting system contain evidence of business transactions including banking details, invoices and receipts, copy cheques, BACS payment receipts, and identification records. Relevant emails, letters and faxes are also stored on a cloud-based server.
Hard copy files are stored in locked cabinets with access restricted to a need-to-know basis. Electronic identification records and financial details are encrypted, with similarly restricted access.
Records relating to employees are kept in individual files. Hard copy files are kept in locked cabinets with restricted access.
The designated Data Protection Lead is responsible for responding to requests from data subjects and will do so within one month. The period may be extended by a further two months where necessary. In these circumstances, the data subject will be informed within one month that more time is needed and the reason why.
Requests need not be in writing. There is no standard wording and they may be made casually over the telephone. On receipt of a request, the Data Protection Lead will log it in the data protection risk register.
He may seek to obtain the data subject’s agreement to limit the request to what is being sought. Otherwise, all the data subject’s personal data is covered and, in response to a subject access request, will be provided.
On receipt of a request, the Data Protection Lead will instigate a search of the relevant files, email folders and inboxes as necessary (Given how broad the definition of personal data and processing are, reference will be made to the data protection policy for the definitions.)
Where a request for a copy of personal data is made electronically, it will be provided electronically.
If the Data Protection Lead does not wish to accede to a request, he will seek legal advice