<img src="https://secure.leadforensics.com/84240.png" style="display:none;">

Subject Access Requests: GDPR updates

3 min read | 6 September, 2019 By Rachael Down


Updates to GDPR law means stricter terms for employer's dealing with employee Subject Access Requests (SARs). Here's what you need to know:

SARs updates:

What is a Subject Access Request?

A Subject Access Request or a SAR is a request that can be made by an employee when they want to see any or all personal data that their employer holds on them.

Subject Access Requests: GDPR updates

Companies can no longer charge a fee for Subject Access Requests

Under the current Data Protection Act companies are able to charge a discretionary fee of up to £10 to fulfil an employee’s subject access request. However, when GDPR is implemented individuals will have a right to access their personal information, therefore, it will be free for employees to submit a SAR. And it is predicted that employers will face an influx of subject access requests from those who were previously put off by the cost. According to research from Exonar 9.1% of people said they would submit a subject access request to their current employer, which equates to roughly 3 million employees in Britain. 

Employers needn’t be too worried though. There is a clear lack of understanding when it comes to the changes that the new legislation will bring, as the survey also found that 70% of the population were not aware of the upcoming changes. Likewise, the regulation itself protects employers to some degree. It states that if a request is deemed to be manifestly unfounded or excessive, particularly if it is repetitive, it is possible for employers to charge a ‘reasonable fee’ for the administrative cost of providing the information.

Employers have less time to respond and complete Subject Access Requests

Employers will only have 30 days to comply with a subject access request following the introduction of GDPR, which is a decrease from the current 40 days. If, however, requests are complex or numerous it is possible to extend the period of compliance by two months. This must be done by notifying the requesting individual within one month of receiving the subject access request to explain why the extension is necessary.

How to format and send the request

The General Data Protection Regulation is coming into practice in May because the current DPA doesn’t account for the technology we now use to manage businesses and data. As a result, the way that subject access requests can be made, and the way that information should be provided, has been updated. The regulation states that ‘if the request is made electronically, you should provide the information in a commonly used electronic format’. And that, where possible, it is best practice for organisations to ‘provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.’

How can employers handle the changes to subject access requests?

1. Appoint a Data Protection Officer

To ensure that subject access requests are handled correctly, it's advisable to nominate one person (probably your Data Protection Officer) to take responsibility for coordinating and managing the collection of data to fulfil the request.

2. Develop a process for managing SARs

The new 30-day-response period may sound like plenty of time to respond to a subject access request, but time flies - especially for SMEs. That's why we suggest creating a process for managing such requests.

We encourage our customers, users and HR managers to upload their employee information, documents and performance reviews on to our simple-to-use people admin software. Not only does this help to mitigate misplaced files and collate all relevant information for each SAR, HR software like Breathe lets you access documents anywhere at anytime with WiFi. We've found this helps to save time, money and HR headaches. 

3. Collecting and locating information

Information storage is crucial in terms of how to manage SARs. We're seeing more coverage in the media relating to GDPR breaches and the fines charities and SMEs face if they are found at breach.

Breathe helps to keep your company GDPR compliant by committing to store all employee documents and company information safe and secure in the cloud. We recommend stepping away from the filing cabinet and investing in an award-winning HR software, like Breathe. 

Achieve GDPR compliance


Posted on 6 September, 2019

By Rachael Down

in Employment Law

Tag Employment Law

Sign up to get the latest HR and people management insights straight to your inbox