blog




  • Essay / GDPR Subject Access Requests: What Employers Need to Know

    Under the General Data Protection Regulation (GDPR) (the “Regulation”), which comes into force on May 25, 2018 , individuals will benefit from enhanced rights in terms of their ability to request and access personal data from any entity holding such data about them. This note will review the changes to the Subject Access Request (“SAR”) regime and provide some guidance for employers to ensure they file a GDPR complaint before the next deadline. Say no to plagiarism. Get a Custom Essay on “Why Violent Video Games Should Not Be Banned”?Get an Original EssayWhat is a SAR? SARs are a familiar concept found in the Data Protection Act 1998. SARs give individuals the right to know what personal data is held about them by an organization, why the organization holds it and to whom their information is disclosed by this organization. However, according to the ICO's own official statistics, poor management of STRs is the main data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection complaints lodged with the ICO concerned the rights of individuals to access their personal data held by organisations. Under the General Data Protection Regulation (GDPR) (the “Regulation”), the DAS regime is broadly similar to what we are used to under the DPA. However, there are a number of key differences that employers should be aware of and the ICO has helpfully published some initial guidance to explain the main features of the new regime. What happens if employers don't comply? Failure to meet the deadline or providing employees with access to all requested data could expose employers to a significant fine. The maximum fine under the GDPR for a data subject's breach is up to 4% of the previous financial year's annual worldwide turnover or €20,000,000, whichever is greater. What does the regulation say?Article 15 of the RegulationKeep in mind: this is just a sample.Get a custom article now from our expert writers.Get a custom essayUnder Article 15 of the Regulation, employees (the data subject) have the right to request from their employer (the data controller): Confirmation whether and where their data is being processed. , the following information: The purpose of the processing; The categories of data that are processed; The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; The intended recipients period for which the personal data will be kept or, if this is not possible, the criteria used to determine this period; The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data submitted or to object to such processing; The right to file a complaint with a supervisory authority; When personal data is not collected from the data subject, any available information as to their source; andThe existence of automated decision-making, including profiling. When personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of appropriate safeguards relating to the transfer; Provide a copypersonal information held on the subject. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. When the data subject makes the request electronically, the information is provided in a commonly used electronic form; and• The right to obtain a copy of this data must not infringe the rights and freedoms of others. How will GDPR change the current SAR regime? The right of individuals to access the personal data that organizations hold about them is the key principle of the DPA and will continue to be so under the GDPR. There are, however, a number of key differences. Employers should be aware of: Response time. Under the GDPR, employers must respond to a request for information “without undue delay and, in any event, within one month of receipt of the request”. This shortens the previous 40-day limit under the DPA. Despite the reduction in the standard response time, the GDPR allows employers to extend the time limit by up to two months (three months in total) when requests are particularly “complex or numerous”. If this is the case, the person concerned must be contacted within one month of their request and informed of why an extension is necessary. It was said that determining whether a request will be considered "complex" will likely depend on the facts and context, but is likely to be extremely useful for employers dealing with particularly lengthy requests. Recital 63 of the GDPR suggests that when the employer processes a large amount of information about the employee, it should ask the employee to “specify the information or processing activities to which the request relates”. The more the employee refines his request, the more difficult it will be for him to demonstrate its “complexity”. In all cases, the onus is on the controller to demonstrate that a request is “complex”, and the ICO is unlikely to challenge this, provided the employer can provide good reasons for the delay. Fees Employers can currently charge up to £10 to make a subject access request. Under the regulation, fees will be waived and information must be provided free of charge. This could have a significant impact on some organizations which receive high-volume requests, such as local authority social services. However, the ICO guidance explains that a “reasonable” fee may be charged if the request is “manifestly excessive or unfounded, particularly if it is repetitive”. It explains that the fee must be calculated on the basis of the administrative costs of retrieving the information and will undoubtedly mean that the level of the fee can vary significantly depending on the subject matter of the request. “Clearly unfounded or excessive” requests Able to charge for “manifestly excessive or unfounded” requests, employers can now also categorically refuse to respond to unjustified requests. The ICO guidelines explain that "you must explain why to the data subject, informing them of their right to lodge a complaint with the supervisory authority and to seek legal redress without undue delay and at the latest within a period of one month. “It is nevertheless up to employers to demonstrate that the request is “manifestly excessive or unfounded”. It would not be enough to simply say that the search effort in a set of thousands of emails would be disproportionate without taking any steps to isolate them or initiate a search process. If it turns out..