Small businesses and the GDPR Right to Rectification
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
How to implement the GDPR Right to Rectification for small businesses
Your customers now have the right to correct any personal data you hold about them. This means they can ask to see a copy of all personal data you store about them using the Right of Access and then request it is corrected. This request can be made by any means: written, email or verbally and you need to have the capability to do this within one month.
You should always attempt to verify the identity of the person making the request before proceeding - typically by having them state the full name, address, postcode and perhaps other details in the customer record prior to correcting their information.
Can I charge a fee for dealing with a subject access request?
You can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If you consider that a request is manifestly unfounded or excessive you can:
- request a "reasonable fee" to deal with the request; or
- refuse to deal with the request.
In either case, you will need to justify your decision.
What you need to do
Realistically, for most small businesses you'll need to be able to edit any electronic information you hold about a customer - which is supported by just about every type of computer system.
If you can justify the time/cost you could create a web form that allows people to leave their details and allows them to pick which of their GDPR rights they want to exercise. It should then email you all of that information for you to act on. You can see an example here.
Further details about the Right to Rectification can be found on the ICO website here.