Subject Access Requests (SARs) are nothing new. For the past two decades, employees have been able to request all the personal information you hold on them under the Data Protection Act (DPA) 1998 – often searching for leverage as part of a dispute or employment tribunal.
However, May 2018’s new General Data Protection Regulation (GDPR) brings some notable changes to SARs that are likely to increase the pressure on HR personnel.
Three key changes for SARs under the GDPR
Companies can no longer charge a fee for SARs
Under the DPA, companies could charge £10 per request. Now that requests are free, employees are more likely to submit requests. Where the SAR is “manifestly unfounded or excessive” it is, however, possible to request a “reasonable” administration fee or refuse to respond.
NB where you refuse to grant access, you must explain why to the individual and inform them of their right to complain and to a judicial remedy.
Companies must respond to a SAR within 30 days
This is 10 fewer days than companies are allowed under today’s DPA 40-day deadline. For particularly complex or numerous requests, however, this time-frame can extend to up two months.
Employees can make requests electronically, and the company’s response needs to be in a commonly used electronic format
Robust and searchable data storage and systems are key to making this as pain-free as possible. This may call for a review of your HR and company-wide technology and systems to make sure they’re GDPR-ready.
How HR can prepare for an increase in SARs
These changes mean you’re going to have to respond quickly and the business won’t be compensated for the time. To make sure you stay in control, HR needs to get on top of processes, technology and training.
Consider putting into place specific SAR protocols such as template letters. SAR requests may not come directly to HR so make sure your team and line managers, for example, across the business are trained on what to do if approached with a request.
You’ll also need to assess the organisation’s ability to quickly isolate and collate data relating to a specific individual. People can also request to know if their information has been shared with a third party – such as an external HR provider. You’ll need to be able to confirm where the data was sent and for what purpose.
UK Information Commissioner Elizabeth Denham said, “Research suggests the SME sector is less prepared than others for the changes. We know that many small businesses are keen to get it right, but with so much misinformation on there it’s difficult for them to know what’s right and what’s not.”
If you need help preparing your HR team or the rest of the business on GDPR, check out these online GDPR training courses from Me Learning. Click here.