GDPR: coping with the epidemic rise of subject access requests
In the post-GDPR business landscape we are all more keenly aware of the importance of data, which is why employers have seen a boom in subject access requests from employees. It’s essential that organisations have a robust process in place to deal with these.
When GDPR was introduced in 2018 the focus was very much on the new obligations organisations had to customers and clients – we all remember our inboxes full of pleas for us to remain on mailing lists we’d long forgotten we were ever on! What businesses were less aware of was how this new data protection culture would translate to them as employers, and how readily the workforce would want to exercise their new data protection rights as employees.
Most employers know that employees and ex-employees are able to request the information held on file about them through subject access requests (SARs), also known as a DSAR – data subject access request. Recently, however, many organisations have been caught out by the sheer number of requests they have received.
GDPR has not only increased employee awareness of the rights they have to their personal data but has made the application process easier for them, while simultaneously making employers’ responsibilities more onerous.
It’s hard to quantify just how many more employees are exercising their right to personal data under GDPR, but within our client base we have seen a huge increase in requests for help dealing with an influx of SARs. When speaking with HR contacts across the country, the same trend has been identified and the same concerns voiced; why are they making these requests? Are we handling them efficiently? How can we handle them cost-effectively?
Research by law firm Squire Patton Boggs suggested that over 70% of organisations have seen a rise in their own employees making official requests. On some occasions the individual genuinely needs to understand what is held on file about them. On other occasions it appears to be no more than a fishing expedition by employees, their lawyers (in case of dispute) or a desire to simply add to workload/cost as a result of a breakdown in relationships. Research suggests that just under a quarter of all businesses have seen their own employees making SARs just to find out what the organisation has on record about them.
GDPR has not only increased employee awareness of the rights they have to their personal data but has made the application process easier for them, while simultaneously making employers’ responsibilities more onerous. Both existing and ex-employees can put in a SAR. Under GDPR employers can no longer charge a fee for providing the data and there is also a more limited time-frame to provide information – down from 40 days to just one month.
In fact, some employers are being caught out by new guidance issued by the Information Commissioner’s Office that makes the timescales for response even tighter. In August 2019, the ICO updated its guidance on timescales for responding to a subject access request.
There’s no point trying to hide employees’ rights under GDPR from them in a bid to reduce requests – this will only increase the likelihood that requests are mishandled.
The timescale has now changed to reflect the day of receipt as ‘day one’, as opposed to the day after receipt. For example, a SAR received on 3 September should be responded to by 3 October.
While there are circumstances where the deadline can be extended, employers cannot ignore an SAR ¬– fines for failing to respond to a SAR can be up to 4% of turnover.
There are also some common misconceptions about SARs that employers should make sure aren’t hindering their ability to comply with GDPR. For example:
- While employers are encouraged to make a form easily available for those wishing to make a data access request, employees are under no obligation to use it.
- SARs can be made in writing, over the phone or in person – a verbal request is as valid as a written one, so it is essential to brief staff on keeping accurate notes, especially when it comes to records of the date to respond by.
- In the context of employment, an individual can make the request to anyone in the organisation who they believe is processing data. Even if you have a designated individual, such as a Data Protection Officer a request can be made to any other member of staff too – often line managers. Make sure they know the importance of alerting the right person to the request as soon as possible.
- The applicant isn’t under an obligation to provide proof of identity when making the request, however, it is reasonable to check the identity of who is making the request. A couple of simple security questions could potentially save you providing sensitive data to an unauthorised stranger – a case in point being a PhD student who successfully contacted nearly 150 companies posing as his girlfriend and was handed her private information.
Once a request has been made, some employers have difficulty with SARs because the guidelines on what to include are not black and white. There may be numerous systems to search or third-party information entwined in correspondence you think you should include.
The time spent on these requests can quickly stack up, and the resulting costs can be shocking. Two-thirds of employers report increasing expenditure to fulfill them, 27% have hired staff to deal with the higher volume of SARs. So, what can be done to limit the cost of increasing numbers of SARs?
The first step all employers should take, no matter the size of the workforce is to have a clear policy related to SARs, outlining procedures and responsibilities - but also to ensure this is regularly reviewed to ensure it is fit for purpose as the business grows or employees move on.
Proceed with caution
Similarly, it is vital to train staff about GDPR and the different responsibilities there are to both customers and employees. There’s no point trying to hide employees’ rights under GDPR from them in a bid to reduce requests – this will only increase the likelihood that requests are mishandled. Regular communications about rights and responsibilities demonstrate you value your employees as much as you want them to adhere to the regulations.
While software is available to help deal with SARs I’d suggest approaching with caution. The costs can be eye watering. You may wish to consider whether you can make use of software as part of a package with an external DPO or consultancy that will not only guide you through policy-making but also handle SARs on your behalf with the help of the latest software.
Some advice when dealing with your own employee data:
- Keep in line with your own retention policy and delete old versions.
- It is not necessary use the names of individuals when communicating confidential material.
- Save individual’s case notes in a folder named anything other than the person’s name.
- Look through the drawer next to your desk and shred all paperwork from confidential meetings, no doubt all of this will be saved on file anyway.
- Only keep six years’ worth of recent data for any employee and delete these six years after they have left.
- Be commercially vigilant when managing disciplinary investigations and only keep the final investigation report on file, delete all other statements that have not been used in determining an outcome.
- Only use your audio recordings from meetings to support with typing your notes, delete them immediately afterwards.
- Be wise when transferring employee data, a breach could result in the ICO investigating whether you did everything you could to prevent it.
Lastly don’t be a HR hoarder. We all like to keep things longer than we need to, just in case ‘something’ happens. Ask yourself this: has that ‘something’ ever happened? Start the year with a data cleanse.
Data protection, privacy and the use of our personal data continues to dominate the headlines and no one should be under the illusion that this will die down. Every day we are becoming more aware of our individual data rights and more questioning of who holds our information and what they are doing with it.
SARs should not simply be considered as a necessary evil but also as a signal that as employers you are mindful of rights and value data protection. Keeping the process as cost-efficient as possible is of course key to any business, but so should be the respect given to the new data protection landscape in which we live.
Interested in this topic? Read GDPR and HR one year on: three things you need to know.
An award-winning consultant in HR, employment and workplace training and a passionate advocate for fair, diverse and supportive employment practices, I have run a national HR and Training business for 20 years serving clients large and small. Known for my no-nonsense approach, I advise on vital issues such as culture change and diversity. An...