This month we’ll be looking at the right an employee has under the GDPR to ask their employer for copies of their personal data which is held by their employer and the impact such a request has on your organisation.
Current rules regarding an employee’s right of access to their data
Currently, employees have the right to request any personal data relating to them which is held by their employer – this is known as a data subject access request (DSAR). Employers can charge the employee up to £10 before complying with the request and have 40 days to provide the employee with copies of the personal data requested. Failing to comply exposes the employer to the risk of a fine of up to £500,000.
New rules under the GDPR
Under GDPR, employers will not be allowed to apply a charge unless in exceptional circumstances and must respond to the request within one month. In certain circumstances, the employer can extend this for up to a further two months; however, they must notify the employee of this explaining why.
This reduced timeframe will place an additional burden on employers who process vast quantities of personal data, for example, where employees send numerous emails each day. Under the GDPR, the potential fines for failing to comply will be substantially increased to €20m or 4 per cent of global annual turnover, whichever is the greater.
Responding to a DSAR is usually a time-consuming process as it involves trawling through vast quantities of documents, emails and other messaging platforms in different areas of the organisation. Where employees have made wide-ranging requests for personal data, employers can ask for the context of the data they are seeking to help them locate it. However, the legal position is that no matter how burdensome the request, employers must still respond to it.
Once the personal data sought has been located, it will need to be screened for any personal data it contains relating to third parties such as other employees or customers. Third party personal data should be anonymised unless consent to its disclosure from the third party can be obtained. If that’s not practical or possible, the employer will need to decide whether it’s more important to disclose the personal data requested than it is to protect the third party’s rights to privacy.
What should you be doing now?
DSARs are a tactic commonly used by unhappy employees in the build up towards bringing an employment tribunal claim. They will usually make a DSAR to access information which they have not already seen but may support any claim they intend to bring. For example, emails between managers which discuss their true thoughts about an individual or why they really dismissed them, would be disclosable as part of a DSAR.
With the introduction of GDPR undoubtedly raising awareness of individual’s data privacy rights, it’s highly likely that DSARs will increase come May 2018.
Now is therefore a good time to review your IT systems and organisational processes to ensure they are set up to support the location of employee personal data throughout your organisation. Members of staff responsible for data protection should also be trained on dealing with DSARs so they can be responded to in a timely and appropriate manner. Data protection policies and privacy notices should also be reviewed and updated so that they clearly and easily explain an employees’ right to access their data and how they should make a request.