Under the General Data Protection Regulation (GDPR) (the “Regulation’), which comes into force on the 25 May 2018, individuals will benefit from enhanced rights in terms of their ability to request and access personal data from any entities holding such data about them. This note will examine the changes in the Subject Access Request (‘SAR’) regime and set out some tips for employers to ensure they are GDPR complaint ahead of the upcoming deadline.
Say no to plagiarism.
Get a tailor-made essay on
'Subject Access Requests Under The Gdpr: What Employers Need to Know'
What is a SAR? SARs are a familiar concept found in the Data Protection Act 1998. SARs entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation. However, according to the ICO’s own official statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals” rights to access their personal data held by organisations.
Under the General Data Protection Regulation (GDPR) (the “Regulation’) the regime for SARs is broadly similar to what we are used to under the DPA. However, there are a number of key differences employers should be aware of and the ICO has helpfully issued some initial guidance to explain the key features of the new regime. What if employers fail to comply? A failure to meet the deadline or provide employees with access to all the data they request could expose employers to a significant fine. The maximum fine under the GDPR for data subject breaches is up to the greater of 4% annual worldwide turnover of preceding financial year or €20,000,000.What does the Regulation say?
Article 15 of the Regulation
Keep in mind:
This is only a sample.
Get a custom paper now from our expert writers.
Under Article 15 of the Regulation, employees (the data subject) are entitled to request from their employer (the controller):
- Confirmation whether their data is being processed, and where that is the case, the following information:
- The purpose of the processing;
- The categories of data that is being processed;
- The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- Where the personal data are not collected from the data subject, any available information as to their source; and
- The existence of automated decision-making, including profiling.
Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer;
Provide a copy of personal data held on the subject. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means the information shall be provided in a commonly used electronic form; and• The right to obtain a copy of this data shall not adversely affect the rights and freedoms of others.
How will the GDPR change the current SAR regime? The right for individuals to gain access to personal data that organisations hold about them is the key principle of the DPA and will continue to be so under the GDPR. There are, however, a number of key differences employers must be mindful of:
Time to Respond Under the GDPR, employers must respond to SAR “without undue delay and in any event within one month of receipt of the request.” This shortens the previous limit of 40 days under the DPA. Despite the standard time limit for responding being reduced, the GDPR allows employers to extend the deadline by up to two months (so three months in total) where the requests are particularly “complex or numerous.” If this is the case, the data subject must be contacted within one month of making their request and informed why an extension is necessary. It has been said that determining whether a request will be considered “complex” is likely to be fact and context dependent but is likely to be extremely useful for employers dealing with particularly time-consuming requests. Recital 63 of the GDPR suggests that where the employer processes a large quantity of information about the employee, it should ask them to “specify the information or processing activities to which the request relates”. The more the employee narrows down their request, the harder it will be to show “complexity’. In any case, the burden is on the data controller to show that a request is “complex’, and it is unlikely the ICO will challenge the assertion provided the employer can provide good reasons for the delay.
Fee Employers can currently charge up to £10 for carrying out a subject access request. Under the Regulation, the fee will be scrapped and the information must be provided free of charge. This could have a significant impact of certain organisations that receive voluminous requests, such as local authority social service departments. However, the ICO guidance explains that a “reasonable” fee may be charged if the request if the request is “manifestly excessive or unfounded, particularly if it is repetitive.” It explains that the fee must be on the basis of the administrative costs involved of retrieving the information and will no doubt mean that the level of fee can vary significantly depending on the remit of the request.
‘Manifestly unfounded or excessive” requests
In addition to being able to charge for “manifestly excessive or unfounded” requests, employers may now also outright refuse to respond to unwarranted requests. The ICO guidance explains that “you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. “Nevertheless, the burden is on employers to show that the request is “manifestly excessive or unfounded’. It would not be enough to simply say, that the effort to search a pool of thousands of emails would be disproportionate without taking any steps to isolate them or engage with a process of searching them. If it transpires that there are significant technical difficulties in recovering the emails, then the employer may begin to move into the territory of disproportionate effort. In reality the bar for relying on a request being “manifestly excessive or unfounded” will be quite high.
Electronic access
From the 25 May 2018, it must be possible for employees to make SARs electronically. Where the request is made electronically, the information should be provided in a commonly used electronic form, unless otherwise requested by the individual. The ICO also used its revised code on SARs to confirm that “individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social-media sites to which it subscribes, or possibly via third-party websites organisations’. It said that organisations can steer people to submitting SARs through a particular communications channel, but “may not insist on the use of a particular means of delivery for a SAR”. The ICO said, however, that organisations are entitled to ask requesters to confirm their identity and that they can, in some cases, respond to SARs submitted via social media using other communications channels.
Right to withhold personal data
Under the GDPR, organisations can withhold personal data if disclosing it would “adversely affect the rights and freedoms of others.” It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security. What steps can employers take prepare for the new regime? There are a number actions employers can take to ensure they are ready for the changes in May 2018. We would suggest that they consider:
Updating internal policies and procedures on responding to requests from individuals in relation to their personal data in line with the new wider GDPR requirements and rights which now include - the right to access personal data, right to data portability, to rectify and delete data, to restrict and object to processing, and to lodge a complaint with a supervisory (data protection) authority;
If you do not already have one in place, outline a process for handling SARs, e.g. how to identify what constitutes personal data, what data is third party data and what obligations the organisation now has to fulfil to ensure it is compliant;
Train staff to identify when a request from an employee is a SAR, ensure they are aware of the new shorter timescale involved and how to deal with requests as efficiently as possible;
Keep tabs on all the systems where personal data is held – this is in line with the new obligation under the GDPR to keep records of processing activities (Article 30). This can cover hardcopy documents as well as information stored electronically such as emails, text messages and spread sheets;
Update internal IT systems to allow for deletion, transfer of personal data and ensure that data pertaining to an individual can be quickly isolated;
Review your organisation’s data retention policies and ensure the relevant individuals are aware of them;
Consider preparing template response letters to guarantee that all elements of a response to a SAR are being complied with under the GDPR which should help make SAR responses more efficient and thorough;
Consider GDPR best practice and perhaps set up a “data subject access portal” which can allow an individual to access their information quickly, easily and remotely. However, employers must remain mindful that this should not “adversely affect the right and freedoms of others,” therefore careful thought will need to be given as to whether third party data should be redacted before putting it on the portal.