Since its inception, the General Data Protection Regulation (GDPR) has brought a paradigm shift within the organisations regarding data privacy landscape. Handling subject access requests (SARs) effectively and within the prescribed time remains a challenge for many employers especially where SARs are becoming onerous. The employees and other staff members are more conscious than ever of their data protection rights, resultant of both a significant growth in a number of SARs received by the employers and a huge rise in complaints with the Information and Data Protection Commissioner (IDPC). Mishandling of SARs remains the foremost source of a complaint under the GDPR. Understanding how to respond to a SAR is of paramount importance because a failure to respond can expose the business to a claim, fines, enforcement action and reputational damage.
Most of the organizations hold volumes of personal data about their existing employees, former employees and other staff members. The increased awareness amongst the employees (and the removal of the fee), has given a sharp rise to increased SARs. Consequently, the organizations are facing the biggest risk under the GDPR in respect of employment-subject access requests as they must manage an increasing number of SARs submitted by the employees and other staff members. Employees, former employees and other staff members use SARs in the context of broader employment dispute including unfair dismissal, whistleblowing or discrimination claims in order to increase their employers’ legal and management costs and to obtain information for use in claims.
The GDPR grants additional rights and protection to employees as data subjects resulting in significant impacts on the employment sphere. The key changes brought by the GDPR, which likely result in giving rise to the number of SARs are:
- There are no limitations on the number of requests, or the regularity with which a request can be submitted, which is leading to rise in the use of SARs.
- Employers are required to respond to a SAR free of cost except where the request is manifestly unfounded or excessive or repetitive in nature.
- Employers must respond to a SAR without undue delay and within one month of receipt of the request (although an extension of up to two months is available for particularly complex requests).
- Data must be supplied in a structured, commonly used and machine-readable form, the costs of which fall to the employer, and the first copy of any SAR outcome must be supplied free of charge.
Employers must be careful whilst dealing with SARs. They must not ignore SARs especially in the context of employee management and dismissal processes. Employment tribunals are now aware of these issues and may take failures to comply with SARs into account. In addition, employers must;
- Respond to a SAR within legal timeframe provided
- Liaise with the individual if you require further information to verify their identity or to enable you to locate the requested information.
- Unearth the requested personal data
- Redact or remove data relating to other individuals unless you have their consent, or it is reasonable in all the circumstances to provide that information
- Consider if an exemption applies where the data would be exempt from disclosure.
- Supply copy of the relevant data and explain if and why you are relying on any of the exemptions.