Dealing with Subject Access Requests under GDPR - Checklist
Posted in : Templates and Checklists ROI on 5 October 2017 Issues covered:The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. One of the areas that will change under GDPR is that of data/subject access requests. This is the mechanism by which a data subject (such as an employee or customer) can request access to any personal data an organisation holds about them. As we know from current data protection legislation, subject access requests are common in situations where a dispute or grievance arises between an employer and an employee. The receipt of a subject access request is often a sign that litigation is about to happen.
Linda Hynes, Head of Employment & Data Protection at Leman Solicitors had previously prepared a handy checklist on how to deal with data/subject access requests. Linda has now updated this to take into account the changes that will apply under GDPR. These include:
- That a fee will no longer be chargeable (unless the cost will be excessive – this will be a high bar and most requests will not justify the charging of a fee);
- The timeframe for complying has been reduced from 40 days to 1 month;
- The categories of information to be provided have increased;
- The personal data should be provided in electronic format where possible and where requested by electronic means.
Organisations should review their procedures in respect of dealing with data/subject access requests to ensure they can deal with them quickly and efficiently. Non-compliance with GDPR can attract fines of up to 4% of total global annual turnover or €20m (whichever is the higher). In 2016, 835 complaints were received by the Data Protection Commissioner in respect of the right of access to personal data and under the new GDPR framework, that figure will only increase.
Click here to download the Subject Access Requests - Checklist.
Disclaimer:
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.