The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and organisations who collect and process personal data have had 2 years to become compliant with GDPR. Once of the areas that will change under GDPR is that of data/subject access requests. This is the mechanism by which a data subject (such as an employee or customer) can request access to any personal data an organisation holds about them. As we know from current data protection legislation, subject access requests are common in situations where a dispute or grievance arises between an employer and an employee. The receipt of a subject access request is often a sign that litigation is about to happen.
Linda Hynes had previously prepared a handy checklist on how to deal with data/subject access requests. Linda has now updated this to take into account the changes that will apply under GDPR. These include:
- That a fee will no longer be chargeable (unless the cost will be excessive – this will be a high bar and most requests will not justify the charging of a fee);
- The timeframe for complying has been reduced from 40 days to 1 month;
- The categories of information to be provided has increased;
- The personal data should be provided in electronic format where possible and where requested by electronic means.
Organisation’s should review their procedures in respect of dealing with data/subject access requests to ensure that can deal with them quickly and efficiently. Non-compliance with GDPR can attract fines of up to 4% of total global annual turnover or €20m (whichever is the higher). 835 complaints were received by the Data Protection Commissioner in 2016 in respect of the right of access to personal data. Under GDPR that figure will only increase.
To access the updated checklist click here.
Disclaimer: This publication is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Ogier Leman for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.