Q&A: Be GDPR-ready on subject access requests

Q&A: Be GDPR-ready on subject access requests

Q: How do I handle a subject access request under GDPR?

A: Employers should be familiar with the General Data Protection Regulation (GDPR) being introduced on 25th May 2018. Many will have already amended their workplace policies or appointed a designated data protection officer where necessary, so attention will now turn to how an organisation should handle day-to-day matters such as a subject access request under these new regulations.

The first step as an employer when receiving such a request is to ensure it meets the obligatory requirements. For a request to be considered valid, it must be submitted in writing. Although there is no specific format for a written request, employers can create a template request letter to ensure uniformity and reduce the chance of error.

Employers have to make several checks once they receive a written subject access request.

First, they must check that the data being requested is specific and relates to personal data such as age, race and gender, etc. Employers should also check the identity of the individual making the request. Verification may not always be needed.

For example, a current employee provides you with the subject access letter, but if there are reasonable doubts over the identity of the individual making the request, proof of identity should be requested before releasing any information.

Generally speaking, under GDPR, employers can no longer ask an individual to pay for this information. There are two circumstances in which a fee may be charged: where the requested is considered to be manifestly unfounded or excessive, or where further requests of the same information are made. Any charge must be reasonable and relative to the cost of providing the information.

Information must be provided without any unreasonable delay and within one month of receiving the request. It is possible to request an extension up to a maximum of two additional months to handle complex or numerous requests. If an extension is required, the employee must be informed of this within one month of their original request.

Information provided in response to a subject access request may possibly identify another individual. Under GDPR, employers do not have to disclose this information unless the other individual in question has consented to the disclosure, or if it is considered to be reasonable to comply without the individual’s consent.

When it comes to supplying a copy of the requested data to the requester, employers will also have to provide them with certain information relating to the purposes of processing the data, the recipients to whom this data has been disclosed, and the period which this data will be retained for.

Peter Done is managing director of Peninsula