Subject access requests can be expensive and time consuming for employers yet they are a key part of protection afforded to employees under the incoming General Data Protection Regulations (GDPR). With 50% of businesses admitting they are unaware of what their GDPR obligations will be come May, we’ve set out below the changes employers need to know about.
What are subject access requests?
Subject access requests allow employees to exercise their right to obtain from their employer information as to whether or not personal data is being processed about them and, if it is, to obtain copies of that data. In addition, the employer must provide information such as the purpose of the processing and the source of the data.
What is changing?
- Fees: employers will no longer be able to charge for complying with a request. The only circumstance in which a fee may be charged is where further copies are requested or where the request is ‘manifestly unfounded or excessive’. In some cases, manifestly unfound or excessive requests can be refused.
- Time to respond: employers will be required to respond to a request within a month (currently 40 days). This may be extended by two months where necessary. An employer must inform the individual within 1 month of receiving the request if it intends to extend the response time.
- Electronic requests: employers must make it possible to make requests electronically (e.g. by email but requests may even be made via social media!). If a request is made electronically, the information should also be provided in an electronic form, unless the individual requests otherwise.
- Withholding Information: where disclosing information would ‘adversely affect the rights and freedoms of others‘ employers can choose to withhold personal data. This could potentially now extend to intellectual property rights and trade secrets.
What do you need to do?
The GDPR comes into force in May this year. Employers need to be considering now how they can implement it. For more information, please contact a member of the employment team or Ben Jackson in our Corporate and Commercial team. You can also read Ben’s article on GDPR here.