The impact of GDPR of Subject Access Requests

Andrew Masters

Partner & Head of Employment

View bio

April 10, 2018

Categories Employment LawGDPR

In the third and final instalment of the Furley Page Employment Team’s GDPR blog, we look at the impact of the GDPR of Data Subject Access requests.

These have historically been time consuming for employers, and used by individuals as a means of receiving disclosure in advance of bringing an employment tribunal case. Will the GDPR limit the impact on employers?

The old right to access personal data

Part II of the Data Protection Act 1998 contained the right to access personal data, usually referred to as a Subject Access Request. This was submitted by way of a written request, and the data controller could chose to request payment of £10. The information then had to be provided within 40 days of the written request (or payment of the £10 if requested). The information that needed to be provided included whether the data was being processed, a description of it, the purpose for which it was being processed, and to whom it may be disclosed.

The new right to access personal data

Article 15 of the GDPR provides:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the following information:

(a) The purposes of the processing;
(b) The categories of personal data concerned;
(c) The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing or personal data concerning the data subject or to object to such processing;
(f) The right to lodge a complaint with a supervisory authority;
(g) Where the personal data are not collected from the data subject, any available information as to their source;
(h) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic.

Changes imposed by the GDPR

The first change is that the current fee of £10 will no longer be chargeable, although employers may charge “a reasonable fee”. It has long since been an issue that the time involved in collating a data subject access request is disproportionately high compared to the £10 fee employers are legally allowed to charge. There is currently no guidance as to what “a reasonable fee” may be, but the GDPR does contain provision for further regulations to be brought into force to set a limit.

The second change is that compliance with the request must take place “without undue delay” and at the latest within one month of the request. This will mean that employers can no longer leave compliance until the last moment and must be pro-active in their compliance.  If a request is particularly complex or there are numerous requests, the timescale can be extended by up to a further 2 months.

Proportionality

The continuing good news for employers is that the search for the data requested form the employer/controller is limited by “proportionality”. However, guidance published by the ICO states “it will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient”. The apparent flexibility over the fee an employer can charge may now serve to balance out the fact that the search may be labour-intensive or inconvenient.

How will the changes impact employers?

With the new right to be informed meaning employers are obliged to provide information up front to employees about the personal data held on them, it may be that the number of data subject access requests fall in number. However, it remains likely that where a contentious dispute arises, individuals may still make requests in order to see the exact context and use of their personal data. Where requests are spurious or disproportionate, the GDPR does provide employers with provisions to charge a potentially higher fee than previously, to extend time limits for compliance, and to potentially refuse to comply with the request.

Although previous case law under the Data Protection Act 1998 will provide useful guidance as to proportionality, we will need to wait to see how these new provisions are applied in practice in order to truly assess whether the impact of Data Subject Access Requests upon employers is minimised.