Subject access requests (SAR’s) can be considered a burden to employers as they are expensive and time-consuming. To the contrary, they are a key part of protection afforded to employees under the forthcoming General Data Protection Regulations 2016 (GDPR).
The law regarding SAR’s will change under the new Regulations therefore employers need to be aware of these changes and put procedures in place to ensure legal compliance thus providing employees with appropriate protection.
What are subject access requests?
Subject access requests allow employees to exercise their right to obtain information regarding personal data that is being processed about them and, to obtain copies of that data from their employer. In addition, the employer must provide information such as the purpose of the processing and the source of the data.
Changes under the GDPR
Fees: Employers will no longer be able to charge for complying with a request. The only circumstance in which a fee may be charged, is where further copies are requested or where the request is ‘manifestly unfounded or excessive’. In some cases, manifestly unfound or excessive requests can be refused.
Time to respond: Employers will be required to espond to a request within 1 month as opposed to the 40 day time limit currently in place. This may be extended by two months where necessary. An employer must inform the individual within 1 month of receiving the request if it intends to extend the response time.
Electronic requests: Employers must make it possible to make requests electronically (e.g. by email but requests may even be made via social media!). If a request is made electronically, the information should also be provided in an electronic form, unless the individual requests otherwise.
Withholding Information: Where disclosing information would ‘adversely affect the rights and freedoms of others’, employers can choose to withhold personal data. This could potentially now extend to intellectual property rights and trade secrets.
Time to Prepare
Although these changes may seem like a burden, employers need to ensure they can accommodate such changes and ensure they can demonstrate compliance before the GDPR comes into force on 25th May 2018.
If you are an employer and require assistance preparing for the GDPR, please do not hesitate to contact David Gibson – Employment and Regulation Specialist at Short, Richardson & Forth at email@example.com or call 0191 211 1503.