Significant advances and use in digital technology has led to a vast increase in the quantity of personal data that is processed.
In the employment context, personal data is often stored in an unstructured format, for example in email chains and is also intermingled with highly sensitive information about others. There is nothing unusual about this, however, the complexity begins when employees start making data-related requests.
Employees have a right to make a data subject access request (DSAR) under the GDPR. To respond to a DSAR, employers will likely need to sift through vast amounts of information to find data relating to a particular individual, whilst also ensuring that the privacy of others is protected.
It is no wonder therefore that DSARs are often dreaded by employers. However, responding to them does not have to be a painful process. We consider some top tips to guide employers through the process, including how technology can help in this process.
Responding to a DSAR can be time-consuming and expensive. Having a procedure in place to deal with a request will ensure that you deal with the DSAR as efficiently and consistently as possible.
Having an internal policy in place for those likely to be responsible for handling a DSAR could be a good way to achieve this; the policy should include a contact list for the key persons within the business who are likely be called upon to help respond to the DSAR (such as IT, HR, Legal etc..).
Ask for more information if needed
Once a DSAR has been received, you should review the scope of the request and consider how to search for the relevant data.
Understanding what an employee wants or is looking to achieve can be a good way to narrow the search. In fact engaging in an open conversation with the individual making the request is considered good practice by the ICO.
It is often underestimated just how long it takes to respond to a DSAR. For example, carrying out the relevant searches can bring up often thousands of emails and/or documents. Under the GDPR employers must now respond to a DSAR within one month of receipt (unless the deadline can be extended under exceptional circumstances). Therefore, employers should plan any internal timeframes at the outset, to not lose sight of the deadline.
Know where to look
Whilst an employer needs to make genuine and extensive searches, this does not mean that you have to leave no stone unturned. In other words, only a reasonable and proportionate search is required.
Whilst the majority of data will be on your main servers, you may also need to check backed-up data, deleted data and data held on other systems.
Be mindful of others’ data
It is paramount that the privacy of third party data is protected when responding to a DSAR. Generally such data should be redacted or removed.
However, if the third party has provided their consent to disclose the data, or where the employer determines that it would be reasonable to disclose the data without consent, such third party data may exceptionally be provided.
Get familiar with the exemptions and what you need to provide to an employee
Not all personal data that you hold about an individual needs to be provided, as certain exemptions exist. For example, legally privileged documents do not need to be disclosed or where personal data is processed for the purposes of management forecasting or management planning in relation to business planning. It is also worth bearing in mind that whilst the ICO says that employers should be prepared to take extensive efforts to find and retrieve the requested information, it will not be required to act unreasonably or disproportionately regarding the importance of providing subject access.
Once the exemptions and any third party data are considered, employers must provide a copy of the requested personal data. It is worth bearing in mind that this does not necessarily mean that copy documents need to be provided, rather it may be the case that there is merely an obligation to supply the personal data itself. Alongside the personal data, the employer is now required to provide certain mandatory information to the employee about how the personal data has been processed.
If you operate internationally and hold any personal data on the “data subject” in another country you will need to consider the local data laws as well as the implications of any transfers of data. In particular, if you use a cloud IT service to store and/ or process your data anywhere outside of the UK you will need to think about putting in place appropriate safeguards when transferring data into the UK.
Document the process
If an employee does not think that you have complied with your requirements under the GDPR, they have two recourse options: either complain to the ICO or apply to the court for a compliance order.
If this happens, it will be incredibly helpful if you can evidence the procedure that you followed to respond to the DSAR. Keeping comprehensive records or a paper trail, for example explaining the rationale for decisions that have been made during the process, is recommended.
Think about how to send your findings
If a DSAR is made electronically, you must provide the data in electronic format, unless the individual has made an alternative request. Keeping a copy on record is also recommended. You should also bear in mind that certain electronic platforms automatically delete documents after a set period of time!
Last but not least…how can tech help?
Often the main problem for employers when responding to a DSAR is knowing where to search and coping with the sheer volume of documents a DSAR can reveal.
Both of these activities can lead to questions about resourcing and costs. Engaging with an electronic review platform that is designed to assist with this process, may be well worth exploring. We have partnered with a number of leading tech companies who provide such platforms to provide the most suitable and cost effective service to our clients for responding to DSARs. We can also work with your own preferred provider, or in-house platforms, if preferred.