The data subject access request (“DSAR”) has always been a central pillar to data protection legislation, providing individuals with a means of checking whether their data is being processed lawfully. The GDPR greatly enhances existing data subject rights, and provides a harsher potential penalty for an employer’s non-compliance – with breaches assessed against the upper tier of potential fines.
What will change under GDPR?
Staff will still be able to ask for copies/details of their personal data, and the right to ask for inaccurate information to be rectified will continue. However, internal DSAR procedures should now be updated to refer to the changes e.g.:
- Employers will have to respond to DSARs without charging a fee (unless the request is excessive or unfounded).
- The response to a DSAR must be quicker than before – within 1 month (extendable in certain limited circumstances – understanding how to assess and operate this may be key to success in more involved cases).
- In addition to the usual background information given to the requester regarding the processing of their data, additional matters must now be confirmed relating to data retention periods, safeguards for data transfers outside the EEA, and the right to complain to the Information Commissioner’s Office.
Other potential right are to have data made “portable” (and transferred to another organisation), or to have such data erased or restricted (i.e. not processed further), however we expect these to have far less practical impact in most cases for employers, due to the limited circumstances in which those rights will apply.
These data subject rights should be summarised in the employer’s “data privacy notice” to staff (to find out more about data privacy notices click here).
What steps should employers take to prepare for change?
- Policy updates - Any policy referring to DSARs and/or Data Retention Policies should be updated.
- Training - Those staff most likely to deal with DSARs should receive training on the updated legal regime and company approach to the various judgement calls that will be required.
- Audit and understand - The draft Data Protection Bill currently provides that decisions made regarding restricting any DSAR rights have to be explained and documented in case of future audit. It is vital there is a rigorous and centralised process.
- Updated process - Finally, the processes/software involved in data gathering for DSAR responses must be considered. The GDPR requires that the design, development and selection of any application or product that processes personal data should have privacy considerations at its heart through a system of data protection “by design and default”.
The ICO is clear - DSARs have been a part of life for over 30 years - employers are expected to have processes and systems set up to enable meaningful response, and with the perfect storm of GDPR publicity and general increased awareness (and exercise) of rights generally, there will be nowhere to hide on subject access in future.