GDPR: Preparing for Change! What do Employers and HR teams need to know?
Part 6: Subject Access Requests under the GDPR – a real issue for employers?
In part 6 of our series on the General Data Protection Regulation (GDPR) and what it means for employers and HR teams, we concentrate on the new rules on Subject Access Requests (SARs) under the GDPR and how these will affect employers and HR teams.
What is a SAR?
A SAR is a written request made by an individual to access personal information that an organisation holds about the individual; this includes employees requesting information held by employers. SARs are becoming an increasingly popular tool for disgruntled employees seeking to obtain documentation held by their employer or ex-employer, usually in situations where there is a grievance, dispute or dismissal and can be particularly useful where the information required by the employee is not available through traditional disclosure (see our recent blog on SARs and litigation).
The law – now and in the future
The procedure for making a SAR is similar to that under the current data protection laws enshrined in the Data Protection Act 1998 (DPA), although there are some important changes that HR teams must be aware of:
- Fee: Currently, employers can charge employees a £10 fee for dealing with requests. Under the GDPR, an organisation will not be able to charge a fee for complying with a SAR unless the request is “manifestly unfounded or excessive.” As of yet, there is no guidance on what this will look like but we would suggest it is likely to be narrowly construed. Employers may only charge a reasonable fee for administrative costs if further copies are requested.
- Time: The current rules grant employers a 40-day time period to respond to SARs. Under the GDPR this time limit is shorter and organisations must respond to SARs “without undue delay” and at the latest within one month. You may be able to extend this period by a further two months, but this will only be for highly complex requests. Again, no guidance has been issued as of yet as to what “complex requests” may look like, and where your organisation seeks to rely on this, advice should be sought.
- Electronic access: Under the GDPR it must be possible to make SARs electronically e.g. by e-mail. Where a request is made electronically, the information should be provided in a commonly used electronic form, unless otherwise requested by the individual.
- Further information: Employers are also required to provide supplementary information alongside the personal data. This includes details of what information is held about the employee and what processing is being carried out, as well as details of “the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period”. Retention policies will be of assistance in this regard.
How will employers be affected?
Employers will have to deal with SARs in a shorter timescale, as well as providing additional information. The data held by employers in relation to staff can be contained in a variety of different ways, from formal HR records to more informal e-mails among employees. Retrieving all the relevant data within the new timescale could be challenging for employers that have not set out clear processes for dealing with SARs which deal with every step of the process.
It will now (generally) be free to make SARs, and employees will be entitled to make and receive information in an electronic format – this could potentially open the floodgates to an increase in the number of SARs made my employees which would be burdensome for under-resourced HR teams, particularly where appropriate systems for data management are not in place.
Why should employers comply?
A failure to meet the deadline or provide employees with access to all the data they request could expose employers to a significant fine under the GDPR – remember the maximum fine under the GDPR for data subject breaches is up to the greater of 4% annual worldwide turnover of preceding financial year or €20,000,000.
So, how can employers prepare?
- Train HR staff to identify when a request from an employee is a SAR, what timescales are involved and how to deal with requests.
- If you do not already have one, outline a process for handling SARs, e.g. how to identify what is personal data, what data is third party data, what obligations does the organisation have to meet, etc.
- Review your data retention policies; and if your organisation does not have one, consider putting one in place.
- Consider preparing template response letters to ensure that all elements of a response to a SAR are being complied with under the GDPR.
- Come to our GDPR seminars (details to be announced) and seek guidance where required!
Read our previous blogs in this series:
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.