This might also interest you...

SARs: Employer’s Burden vs Employee Protection

15 Mar 2018


Subject access requests (SAR’s) can be considered a burden to employers as they are expensive and time-consuming. To the contrary, they are a key part of protection afforded to employees under the forthcoming General Data Protection Regulations 2016 (GDPR).


The law regarding SAR’s will change under the new Regulations therefore employers need to be aware of these changes and put procedures in place to ensure legal compliance thus providing employees with appropriate protection.


What are subject access requests?


Subject access requests allow employees to exercise their right to obtain information regarding personal data that is being processed about them and, to obtain copies of that data from their employer. In addition, the employer must provide information such as the purpose of the processing and the source of the data.


Changes under the GDPR

  1. Fees: Employers will no longer be able to charge for complying with a request. The only circumstance in which a fee may be charged, is where further copies are requested or where the request is ‘manifestly unfounded or excessive’. In some cases, manifestly unfound or excessive requests can be refused.

  2. Time to respond: Employers will be required to espond to a request within 1 month as opposed to the 40 day time limit currently in place. This may be extended by two months where necessary. An employer must inform the individual within 1 month of receiving the request if it intends to extend the response time.

  3. Electronic requests: Employers must make it possible to make requests electronically (e.g. by email but requests may even be made via social media!). If a request is made electronically, the information should also be provided in an electronic form, unless the individual requests otherwise.

  4. Withholding Information: Where disclosing information would ‘adversely affect the rights and freedoms of others’, employers can choose to withhold personal data. This could potentially now extend to intellectual property rights and trade secrets.


Time to Prepare


Although these changes may seem like a burden, employers need to ensure they can accommodate such changes and ensure they can demonstrate compliance before the GDPR comes into force on 25th May 2018.


If you are an employer and require assistance preparing for the GDPR, please do not hesitate to contact David Gibson – Employment and Regulation Specialist at Short, Richardson & Forth at or call 0191 211 1503.

Share on Facebook
Share on Twitter
Please reload

Please reload

  • FB
  • Twitter
  • LinkedIn
  • Youtube

Short Richardson & Forth, 4 Mosley Street, Newcastle upon Tyne, NE1 1DE

Tel: +44 (0)191 232 0283  ·  Email:


Short Richardson and Forth Solicitors Limited is a private limited company registered in England and Wales under company number 10572065, authorised and regulated by the Solicitors Regulation Authority No 637150.

Short Richardson and Forth Solicitors Limited is a private limited company constituted and run in accordance with the provisions of the Companies Act 2006. The term “partner” has been used to denote individual senior solicitors employed by Short Richardson and Forth Solicitors Limited.