Tackling Subject Access Requests from staff – top tips for employers
Since the introduction of the General Data Protection Regulations (GDPR) and Data Protection Act 2018, we have experienced a considerable rise in the number of Subject Access Requests made to our employer clients. Requests can be burdensome, time-consuming and costly to deal with but there are some practical ways to minimise these problems.
A subject access request enables individuals to find out what personal data you (the “Data Controller”) hold about them, why you hold it and who you disclose it to.
Once a request is made you only have one month to respond to the request, unless you are able to justify an extension of up to three months.
A failure to meet the deadline or provide staff with access to all the data they request could expose you to significant risk and penalties.
Practical tips on dealing with requests
• Reduce the volume of data you hold – if you have a robust system of retention and deletion of documents it will help reduce the number of emails and other documents to review.
• Ask if there is anything they are specifically looking for – in the majority of cases the individual is looking for something in particular.
• Make sure the person responsible for conducting the search understands the definition and meaning of “personal data” and “sensitive personal data” so that it can be identified quickly and easily.
• Extract data or provide documents? – when providing someone with access to their personal data you cannot disclose someone else’s personal data. An alternative may be to extract the relevant data from the documents.
• Rethink what you put in writing.
• Use a data room or other secure mechanism to provide the documents to the employee, this will be easier for you to upload, rather than trying to send a huge file via email.
How can we help
Our assistance can be hands-on or ad-hoc advice. It will be entirely dependant on your requirements – as little or as much help as you need. If you plan ahead, get legal advice from the outset and properly manage the collation and disclosure of personal data, the burden of dealing with subject access requests can be minimised. If you have any questions or require assistant please contact Ellen Goodland at firstname.lastname@example.org.
Pictured above Ellen Goodland