Updates to GDPR in 2018 meant stricter terms for employers dealing with employee Subject Access Requests (SARs). Here's what you need to know:
Subject Access Requests: GDPR Updates
- Companies can no longer charge the employee for supplying SARs
- Employers have 30 days to complete each request
- Employers can send the request electronically or export through HR SaaS
What is a Subject Access Request?
A Subject Access Request or a SAR is a request that can be made by an employee when they want to see any or all personal data that their employer holds on them.
Companies cannot charge a fee for Subject Access Requests
Previously, under the Data Protection Act, companies could charge a discretionary fee of up to £10 to fulfil an employee’s Subject Access Request.
However, GDPR means individuals have a right to access their personal information, which means it’s free for employees to submit an SAR.
Despite this, the regulation protects employers to a degree. If a request is deemed to be ‘manifestly unfounded or excessive’, particularly if it is repetitive, employers may charge a ‘reasonable fee’ for the administrative cost of providing the information.
Employers have 30 days to complete Subject Access Requests
Employers have 30 days to comply with a Subject Access Request. This is down from 40 days prior to the introduction of GDPR.
However, if requests are complex or numerous, employers may extend the period of compliance by two months. To do this, you must notify the requester within one month of receiving the Subject Access Request to explain why the extension is necessary.
Employers can send Subject Access Requests electronically or export the data through HR SaaS
GDPR states that if a Subject Access Request ‘is made electronically, you should provide the information in a commonly used electronic format’.
It also recommends that it is best practice for organisations to ‘provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.’
How to respond to a Subject Access Request
1. Appoint a Data Protection Officer
To respond to Subject Access Requests correctly, it's advisable to nominate one person to take responsibility for coordinating and managing data collection to fulfil requests.
2. Develop a process for managing SARs
A 30-day response period may sound like plenty of time to respond to a Subject Access Request, but time flies - especially for SMEs. That's why we suggest creating a process for managing such requests.
That’s because it helps mitigate misplaced files and collates all relevant information for each SAR. HR software like Breathe also lets you access documents anywhere at any time, so long as you have an internet connection.
This makes it perfect for remote teams and flexible working employees. It’s also ideal as part of a business continuity strategy. That way being forced to work remotely or temporarily close your office doesn’t disrupt your processes.
What’s more, there’s no costly and time-consuming hunting down of files, photocopying, and subsequent refiling to deal with.
3. Collecting and locating information
Information storage is a crucial element of managing Subject Access Requests. We're seeing more coverage in the media relating to GDPR breaches and the fines charities and SMEs face.
Breathe helps keep your company GDPR compliant by storing all employee documents and company information safe and secure in the cloud. Step away from the filing cabinet and free yourself from the photocopier by investing in an award-winning HR software, like Breathe.