Do not be complacent, GDPR is making some subtle but important changes to the well-known system for subject access requests under the Data Protection Act 1998 ……
Shorter timescale for response
Employers will have to respond “without delay” to requests and at the latest within one month of receiving the request. There are limited grounds for a 2 month extension but the employer must (a) notify the employee that more time will be required within the first month of the request, and (b) givethe reason for the extension. Under the Data Protection Act 1998 employers had 40 days to respond.
Gone is the £10 fee regime under the Data Protection Act 1998. Under GDPR employers must provide a copy of the requested information FREE of charge unless (a) the request is ‘manifestly unfounded or excessive’ (we await further guidance on what this actually means…in the meantime we would suggest you don’t rely on it), or (b) the information requested has already been provided. In those cases a fee may be charged where it is reasonable and reflects the actual administrative cost.
Refusing to respond
Where requests are ‘manifestly unfounded or excessive’ (this is anticipated to be a high threshold to meet) an employer can refuse to respond. However an explanation must again be provided within one month of receiving the request . The employee must also be advised without undue delay of his/her right to complain to the ICO and to seek a judicial remedy .
Where a request is made electronically (eg, by email) an employer should provide the information in a commonly-used electronic form, unless otherwise requested by the individual.
These changes will have an immediate impact when the new rules come in May 2018 so now is the time to review and update policies and procedures dealing with subject access requests and to make sure that sufficient staff are trained and in place to deal with anyrequests in the new timeframe.