GDPR Countdown Week 4 : Subject Access Requests

As we edge nearer to GDPR deadline day, this week we discuss Subject Access Requests and how changes will affect you going forward

Whilst Subject Access Requests (SARs) are not new, GDPR has brought in some changes. Below is a selection of some of the changes and a few things to remember when dealing with them.

Overall, we believe there will likely be an increase in SARs going forward (largely due to the fee issue referred to below) but it is difficult to predict how much at this stage.

Key Changes:

  • SARs are to be responded to without undue delay and in any event, within one month of receipt of the request (however, this period can be extended by a further two months where it is necessary in consideration of the complexity and number of requests).
  • Employers will not be able to charge a fee for Subject Access Requests unless it is “manifestly unfounded or excessive”.
  • Employers will have the option of refusing to act upon a request if the requests are found to be manifestly unfounded or excessive (although the burden will be on the Employer to show that this is the case and this is likely to be limited to fairly extreme circumstances).
  • Employers are to provide electronic means for SARs to be made and where an employer processes a large quantity of personal information, it is able to request, before responding, that the employee specify the information for processing activities to which the request relates.

Things to remember:

  • An employee’s right to request access to the data held about them is nothing new. GDPR was designed to make it a little easier but also to clarify some of the rules.
  • There is no requirement for employees to specifically confirm that they are making a SAR or to send it to a particular person. As such, an employer should educate its employees to recognise when that may be occurring. After all, a month is not a long time to respond.
  • The removal of the right to charge a fee will come as an unwelcome change for most employers as it removes a potential deterrent.
  • It is worth remembering however that the right is to provide a copy of the personal data is not the same as a requirement to supply specific documents. Albeit, it is often easiest to produce a copy of the document (with redactions to protect the information of other people involved).
  • Where there is a large quantity of largely repetitive data, a possible approach could be to summarise the data fairly and in reasonable detail. If such an approach is taken however, it is essential that it is not used to hide information that the employer prefers not to disclose.
  • The principle of proportionality underpins Subject Access Requests which means that whilst an employer must make a genuine and extensive effort, it does not have to go so far as to leave no stone unturned. How far this stretches in practice will be a question of fact and degree. The easier it is to access, the more likely it will be found that it should have been provided. Guidance suggests that the measures adopted to comply with a SAR should not exceed the limit of what is appropriate and necessary to achieve the objectives pursued by the legislation. The issue most employers find troubling is the disclosure of emails (which of course can amount to personal data). This will likely remain to be the case. If you are ever concerned, we would always suggest advice be sought.
  • Recital 63 of the GDPR confirms that an employee’s right is to access their personal data, exercise that right easily and to be aware of, and verify, the lawfulness of processing. The focus therefore when dealing with a SAR centres around establishing the lawful processing basis of any personal data held. Following an employer’s audit of the data they have and confirmation of the basis for its processing (within its own records as well as its privacy notices), this task should not be too onerous.

Should you have any questions about this topic or any other GDPR issues please do not hesitate to contact ross.hutchison@weightmans.com or your usual point of contact.

Share on Twitter