The EU has responded to the era of 'Big Data' and mobile technology with new legislation that will affect anyone, anywhere, who trades in or shares data with the EU.

The new law – the General Data Protection Regulation (GDPR) – is the first major revision of the data protection laws for almost 20 years, and takes into account the explosion in the use of technology and social media that has occurred in that time. It takes effect on 25 May 2018 and will change the relationship between the public and anyone who holds information about them – whether it's a business, a government department or a charitable organisation – forever.

A revolution is about to occur to "subject access requests" which, in today's world, represent the mechanism through which anyone can apply to a data controller (such as a bank that holds information) to see the personal data it holds on them.

The subject access request mechanism has often been used as a pre-action discovery tool with which an individual who suspects that he have a cause for action against a data controller will gather evidence, having asked for information.

When a bank receives a subject access request it should ask itself the following questions.

• Does the document contain personal data? If a living individual cannot be identified from the data, it is not 'personal data' and falls outside of the ambit of the law.
• Is it reasonable to produce the data? If the production of the data would represent a disproportionate effort, the answer is no. The problem here is that in order to make this determination, the bank still has to make the effort of rummaging through said data before it can decide.
• Assuming that there is a significant amount of data, can it be released in a summarised form?

As a data controller, a bank must respond within 40 days of receiving a subject access request, but it may also ask for clarification or further information. If it does, that "freezes the clock" until a response comes. The bank must also be alert to the possibility of anything that is being disclosed containing the personal data of someone else, i.e. third party data. It is a criminal offence to disclose a third party's personal data in a response to a subject access request.

When the GDPR takes effect in late May next year, the rules that govern subject access requests will change. The definition of "personal data" will be wider and will therefore capture more information; data controllers will have only one month to respond (under the current legislation, they have 40 days in Jersey and 60 in Guernsey) but will be able to extend the period by up to two months in the case of complex or multiple requests; data controllers will no longer be able to charge a £10 administration fee but can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive; and controllers will have to say where their data came from and who it has been shared with.

By May 2018 all businesses should be ready to deal with the new subject access request regime – as well as changes involving the deletion of data, the reporting of 'data breaches' and the appointment of qualified data protection officers.

Among other changes are "the right to be forgotten," which will allow individuals to ask for the erasure of personal data; the mandatory reporting of data breaches to regulators within 72 hours of discovery; and fines of up to €20 million or 4% of global annual turnover (whichever is the greater) for the most serious transgressions.

* Sara Johns is available on +44 1534 514205 or at sara.johns@ogier.com. This article was co-authored by her associate, Laura Shirreffs, and counsel Michael Little.