GDPR right of access: new guidance

Under the General Data Protection Regulation (GDPR), individuals have the right to a copy of the personal data that your organisation holds about them. This is often known as a subject access request (SAR). The Information Commissioner’s Office (ICO) has recently issued new guidance for businesses and employers about how SARs should be dealt with.

The law

Employers must respond to a SAR from a worker without delay, and within one month from receiving the request. If it’s a complex issue, you might be able to extend this for up to two months. But if you don’t respond within the right timeframe, or at all, there’s the possibility of fines or reprimand from the ICO.

In the ICO’s own words: ‘The right of individuals to access information that organisations hold on them is one that is vital for transparency and is enshrined in law. What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests.’

Getting it right

In practice, though, what does compliance look like? It might sound straightforward, but reality doesn’t always fit text-book scenarios.

To help your staff recognise a request, they need to know that SARs can be made in all sorts of ways: there’s no formal procedure needed. Contact can be verbal, in writing – even via social media. Questions as simple as ‘what information do you hold on me?’ or ‘can I have a copy of the notes from my last appraisal?’ count as SARs and need an appropriate response. There’s no necessity even to use the words ‘subject access request’ – it’s up to your organisation to identify that this is what is being made.

It's important, too, that staff know how to respond and who to pass the request to. A valid request can be made by means of contact with any part of your organisation: it doesn’t have to be addressed to a specific person. But the employer’s side of the equation is different, and the ICO does expect you to have a designated person, team and email address to deal with SARs.

With more than 15,000 complaints in this area made to the ICO last year, it’s important that businesses and employers get it right. Further details can be found on the ICO website.
 

Recent articles