It has been just over a year since The General Data Protection Regulation (GDPR) had companies up and down the country in a frenzy. The GDPR came into force on 25th May 2018, replacing its predecessor the Data Protection Act 1998.
With employees reminded of their data protection rights, is it any wonder the Information Commissioner’s Office has reported a 160% increase in data related complaints made by employees against their employers, within the first 5 weeks of GDPR launching?
Yet, do you really know what a subject access request is, and how to approach it?
The Law
GDPR applies to ‘personal data’ and confers the rights of unsuccessful job applicants, employees and ex-employees to request access to any such data, known as a subject access request (SAR). Whilst employees have always had the right to access their personal data through SARs, the enforcing of GDPR in 2018 has served as a reminder. As a result of this, employers must respect the rights of individuals when processing and holding their personal information through good organisation and data handling procedures.
The six key principles of GDPR:
- Personal data should be processed fairly, lawfully and in a transparent manner.
- Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
- The data should be adequate, relevant and not excessive.
- The data should be accurate and where necessary kept up to date.
- Data should not be kept for longer than necessary.
- Data should be kept secure.
Subject Access Requests
SARs can be hard to recognise. They do not need to have the words ‘subject access request’ or refer to ‘GDPR’ for it to constitute a SAR. It merely needs to ask for personal data. It could include information regarding any grievances or disciplinary action, or information obtained through monitoring processes. The confusion continues as each SAR is different to the next as they are unique to the individual.
A vital change from the Data Protection Act 1998 to the GDPR is the removal of the administrative fee charged to an employee submitting an SAR. This, coupled with the tight time constraints, can present multiple challenges to companies.
Originally, companies had 40 days to respond to a SAR, this has now been reduced to just one month from the date of receipt.
Companies are obliged to respond within one month and inform individuals of:
- What personal data you hold about them
- Why you hold it
- Who you disclose it to
- Where the data is available
Given the nature of the request, it is not a simple process therefore arrangements must be in place to deal with any potential SARs.
Consequences
Under GDPR, companies can be fined up to £16.5m or 4% of their turnover if they are found to be breaching GDPR laws. This is thirty times more than the maximum penalty available under the Data Protection Act 1998. Whilst there is no set time period within GDPR outlining how long employers can hold records of data, they must be mindful not to hold it longer than necessary.
If you need any advice on Subject Access Requests or any HR and Employment Law issues please call one of our Employment Law Consultants on 0161 603 2156 to see how we can assist.