Introduction data protection

Regardless of Brexit, GDPR will bring in a range of new rights allowing employees to access information held on them by employers. GDPR will replace the provisions of the Data Protection Act 1998 (DPA).

GDPR preserves the current rights regarding data and also provides new and enhanced rights and protection for individuals, who are known as 'data subjects'. Failure to comply with the provisions of the GDPR may lead to greatly increased monetary sanctions, so it is critical that any organisations processing personal data are aware of the changes.

Key changes
New data subject rights include the right to erasure, requiring an organisation to delete the personal data it holds and to cease processing it any further.  This data could include personnel records, metadata on computers and servers, CCTV, call logs, electronic premises access records, health and safety reports and any other electronic records or filing systems used within a Company.

In addition, individuals will have a right of personal data to be corrected if it is being processed inaccurately and the right to data portability, essentially giving an individual the ability to have a copy of their personal data in a commonly used and a machine-readable format.

Subject access requests
Perhaps the most prominent and commonly used right under the DPA is 'subject access', where a worker can make a request to see what information is held about them.  The access request is often made during a dispute or Employment Tribunal claim and can result in a company spending hours checking paper documents, email histories and a huge amount of computer files.  This is changing under the GDPR. GDPR defines personal data as 'any information relating to a data subject' and a data subject as an identified or identifiable (whether directly or indirectly) living person to whom personal data relates. 

Companies, will have to consider how to identify individuals, in particular employees. Names clearly identify a person, but so may an email address, payroll number and computer login details. Careful consideration will need to be given to any other aspects of a company’s operation that uses alternative designations (through coding or shorthand) to identify an individual.

GDPR sets out the purpose of a subject access request, something that is not explicit in the current regime. The right of access is stated to enable an individual to be aware of, and to verify, the lawfulness of the processing of their personal data.

Company's will need to use 'reasonable means' to identify those making a subject access request. For an employee, this should be sufficiently easy given the nature of the relationship.  When requesters are not employees, you will need to set out a process to check the identification requirements needed to be sure that the requester is authenticated. This could include asking for passport/driving licence and recent utility bills. This data should only be processed in order to verify the identity of a requester. It should be processed no further once that purpose has been satisfied.

Further, under the DPA a fee of up to £10 can be charged for responding to a request. Helpfully, the time for complying with a request does not commence until payment has been made. This will no longer be the case under the GDPR as the right to charge a fee as standard is abolished.  Organisations will be able to charge a 'reasonable fee' when complying with requests for additional copies of data previously provided. The Information Commissioner’s Office states that the fee must be based on the administrative cost of providing the further copies. To clarify, this would not enable a Company to charge for a subsequent subject access request that sought data that had not been previously requested or provided.

Another big change to the subject access regime will be the time allowed for compliance. Less time will be available in order to comply with a subject access request. The current regime allows for 40 calendar days, but the GDPR will reduce this to one month.  Companies, may, however be able to seek an extension of up to a maximum of two further months in cases of complex or numerous requests from an individual. If an organisation seeks an extension, it must notify the requester within one month of receiving the original request and set out why the extension is necessary. Any explanation will need to be sufficiently detailed in order to justify the request.

Company's will be able to exercise their right, where legitimate, to ask the requester to specify the information relating to the request. The request will not pause the time for complying, but it may be of particular use to those organisations that process large amounts of personal data, bringing the search into focus.  

Finally, Company's will be able to  keep in mind whether a request is manifestly unfounded or excessive. This is a new avenue for organisations receiving disproportionate requests. Company's may be able to refuse to respond to such requests, or rely on the administrative charge if the information is something that has been provided previously. Deciding whether a request is 'manifestly unfounded or excessive' will turn on the individual facts.

As we get closer to the GDPR deadline, more guidance will be available and we will feature this topic regularly within this newsletter.

Quick Contact

The Sevier Consultancy Group for
all your Personnel, Training and Business needs

Call us on

01726 860227

We are here to help you


Login Form