HR and GDPR: the new rules about Subject Access Requests

7 min read  |   5 July, 2019   By Aimée Brougham-Chandler

Proficient young male employee with eyeglasses and checkered shirt, explaining a business analysis displayed on the monitor of a desktop PC to his female colleague, in the interior of a modern office

Since the government’s new General Data Protection Regulations (GDPR) were introduced last year, businesses have been working hard to ensure they are compliant with the new legislation. The Information Commissioner’s Office (ICO) has the power to fine organisations found guilty of a data breach up to £20 million or 4% of their annual turnover and they regularly announce which firms have been penalised. The list of companies found guilty of nuisance calls and spam – as well as losing data – shows that the ICO has the smaller companies in its sights as much as larger firms. 

To date, much of the emphasis in the press and business blogs has been on the use (or misuse) of marketing, prospect and customer information. However, it’s important to remember that the new rules apply to employee data, too. Information about your people is about as sensitive as it gets, and this is especially the case since GDPR rules were extended in May 2019 to cover Subject Access Requests (SARs) made by employees.

Here are the important topics we're going to cover in this article:

What is a Subject Access Request?

If your business holds information about a person, they can request access to this data. They can also request that this information is deleted and this is called 'the right to be forgotten'.

Since the new rules came into force, there has been an increase in the number of employees in the UK workforce making access requests and this is expected to grow as people become aware of the legislation. 

It’s important to consider the implications for your business if the ICO decided that you have not handled a SAR properly. Alongside the financial damage inflicted by a potentially sizeable fine, your reputation could also take a hit, which could easily affect your recruitment and employee retention efforts. So, it's important that you prepare yourself by putting plans and processes in place, so you can manage SARs should an employee choose to make one.

SAR changes and your new responsibilities

As of May 2019 there have been four key changes to existing GDPR rules, and as a result of these many businesses will need to re-think the way they manage employee data. Here's what you'll need to do.

  • You must provide all the personal data that you hold about the employee who is making a SAR, including anything held in an HR system, on paper, in spreadsheets, email correspondence and every other type of record.
  • The scope of a SAR is far reaching and includes emails that refer to an employee, their performance reviews, job interviews, payroll records, absence records and any information about disciplinaries.
  • The data must be provided free of charge to your employee.
  • All data must be provided to an employee in a secure format. If you provide the data electronically, it needs to be password protected.
  • Data must be provided in an easily accessible format.
  • The data needs to be easy to read and understand.
  • Businesses must now respond to SARs within 30 days (it was previously 40).
  • SARs no longer have to be made in writing. Employees are free to make requests as they see fit and this includes a verbal request.

The importance of centralising employee data

For organisations that use multiple software systems, spreadsheets and paper records to manage employee information, handling even a single SAR could be a headache - especially if an employee has been with a company for a number of years. Managing multiple SARs could very easily become a complete nightmare which wreak havoc with HR administrators' lives.

This is where dedicated HR management systems like Breathe can help. By centralising all employee information and documents within a single, password-protected system, HR admin staff and business managers can help mitigate the risk of a data breach, and at the same time ensure that if an employee does make an SAR all required information can be provided easily and quickly.

It’s important to look for a system for which every employee within an organisation has their own unique log-in. The ability to set different access and user permissions is just as vital. This ensures that people can only see what they are meant to see, and that HR administrators have complete control over what documents and information are visible to people. 

Try Breathe for free (no credit card needed)

How can cloud-based data security help?

If you do decide to investigate HR management systems that are available for small businesses, it’s worth considering those that are hosted in the cloud on your behalf, as cloud-based systems can provide a greater level of protection than those which are deployed internally on your own servers. Daily data backups, ensuring a server is secure and updating operating systems and security software can be extremely time-consuming and also very expensive. Employing dedicated IT staff to manage internal systems can be costly, even with a relatively new engineer commanding a big salary.

If a company suffers a data breach as a result of out-of-date server software or, for instance, a flawed firewall which has been penetrated via malware or a cyber attack (which is sadly all too common these days), then the ICO could deem a firm to have been negligent in terms of ensuring employee data is secure. A missed software update or an out-of-date license could result in a sizeable fine despite a business’ best intentions. Stating that you weren’t aware that your anti-virus software needed updating is unlikely to convince the ICO. 

Cloud based software such as Breathe is hosted in modern data-centres provided by leading specialist hosting companies. These companies have invested millions in setting up facilities that are ring-fenced by many levels of security and managed around the clock by specialist teams of engineers. Routine admin – such as daily backups – are managed on your behalf. Breathe, for instance, is hosted by Amazon Web Services and their facilities are ISO 27001 accredited, meaning they have been independently certified to ensure security is at the very highest level.

At Breathe we provide a further level of protection, as we ourselves have been ISO 27001 accredited, certifying the processes we have in place for managing our customers’ employee data.

Before even thinking about software features or prices, the first question you should ask a provider is, “Can you prove to me that my employee data will be safe in your facilities?” If there’s any doubt, you should walk away.   

These days, the majority of UK businesses are using cloud-based applications. According to the Cloud Industry Forum, 88% of IT and business decision-makers use one or more cloud-hosted apps, and 67% were keen to ramp up adoption last year.

GDPR and HR management software: next steps…

If you’re not already using an HR software system like Breathe and are considering doing so, we recommend the following three steps.

  • Security first – if you’re thinking about cloud-based software, ask a provider to prove that your employee data is safe in their hosting facilities. Look for ISO 27001 as the benchmark of high security.
  • Try before you buy – look for software which you and your team can try before you commit to buying.
  • Support and training – some software companies charge extra for support and training and this can add up. Some offer training and support as part of monthly or yearly subscription plans. Be sure to talk to software providers about this.
  • No single system will make you GDPR compliant – it’s how you use the software to manage employee data that counts.

GDPR and SARs: other useful resources

  • In June 2019, we co-hosted a webinar with the team from hr inspire – a leading HR consultancy firm. We discussed GDPR and SARs and explored the legislation as well as the practical steps businesses can take to achieve compliance. The webinar was provided for charities, however, it’s equally applicable to businesses and is available via this link.
  • The ICO published numerous up to date resources about GDPR and SARs. Click here to visit their website. 

Breathe provide a free, no-obligation 14-day trial to everyone. Yours is available via this link


Author: Aimée Brougham-Chandler

An IDM-certified Digital Copywriter (2023) & English Language & Literature graduate (BA Hons), Aimée is Breathe's Content Assistant. With 3 years' content marketing experience, Aimée has a passion for writing - and providing SME HR teams with solutions to their problems. She enjoys delving into & demystifying all things HR: from employee performance to health and wellbeing, leave to company culture & much more.

Back to listing

Sign up to get the latest HR and people management insights straight to your inbox