GDPR and Subject Access Requests – what's changing?

In this suspicious world we live in more and more employees are making subject access requests (SARs) fearing what they might find, generally angling for info, or attempting a ‘smoke and mirrors’ cover up during a formal process. As a result, employers now receive an ever-increasing number of requests.
I, for one, had hoped that with the introduction of the GDPR changes this presented an opportunity to reform the process properly and maybe even ban SARs that were nothing more than a ‘fishing exercise’. But sadly this did not happen, and with the abolition of a fee (however minor it was) as a deterrent I am only see HR and small business owners getting more and more of these things.
So to some key practical points to consider when responding to SARs

  • You will have to comply within one month, rather than the current 40 days when it changes 25 May 2018.
  • If the request is complex there is scope to extend the time limit by a further two months which could really help.
  • You will NO LONGER be able to charge anything for processing the request.
  • Before rejecting a subject access request as "manifestly unfounded or excessive" (see below) you should try to narrow the scope with the employee concerned as to what they actually want. (actually, you should do this even where you don’t plan to reject a request, given there will be no fee and less time in which to comply.)
  • Carefully consider what information you hand over and whether it is personal data (ICO Guidance on what is Personal Data). Err on the side of caution though and transfer all data securely regardless.
  • Organisations could also consider putting in place systems allowing individuals to access their information easily online – a great self service HR System will assist with that. I have a favourite – but that’s for another blog I suspect!  Anyway it is recommended as best practice under the GDPR. Word of warning; consider it carefully and plan properly as some employers have found it does more harm than good to have this information readily available if not planned appropriately.

One small light through the GDPR opening door though is the new opportunity for employers to refuse to comply with requests which are "manifestly unfounded or excessive"! Yay! However only case law going forward will provide us guidance on exactly what that means.  In the meantime though a useful tip when considering whether to accept a request, or to knock it back as it’s a fishing exercise, is to determine the reason for the request. The Data protection laws are there to allow data subjects to check that the data controller’s processing of their personal data is not unlawfully infringing their privacy and, if so, to take such steps as the DPA provides to correct this.  So, if you believe the real purpose of making the request is to obtain information to be used in connection with litigation this is an improper purpose and your data controller is not obliged to comply.  In other words, if the request would not have been made but for the collateral purpose of obtaining information to allow a claim to be made, then it is an abuse of purpose. However, tread carefully and seek advice before knocking it back.

Have any questions about #GDPR #DataProtection #SubjectAccessRequests contact me on info@