With the introduction of GDPR the fundamental right for employees to access the personal data held by their employers come sharply into focus. The Subject Access Right (SAR) entitles an employee, to be aware or all personal data their employer keeps in relation to them. They can know if it is being processed, the purpose of processing as well as to who has access to the data. Employees may also obtain copies of this data.
Under GDPR employees are entitled to a free copy of their personal data if they can show good reason. This will likely lead to a surge in the number of requests that human resources and small business will have to respond to. HR departments will have to process request quickly as the employees have a right to their personal information and any violation of this may result in significant financial penalties.
The changes will be live from May 25 next year and state that employers must process a SARs within one month from the receipt of the request. This is different from the current 40 days necessary under Data Protection Acts. Due to this HR departments will have a shorter period of time to complete the requests. This means that early preparations are vital in order to ensure compliance with the shorter time frame. However, if a request is particularly complicated, companies can have two months complete processing a SAR.
Additionally, employers will no longer be allowed to charge for processing a request for personal information. This aspect of GDPR could have significant ramifications in terms of administrative expenses if a litany of requests are received. HR Departments are being advised to narrow the scope, as much as possible, with the employee concerning what they want prior to ruling a request manifestly unfounded or excessive.
Departments should also ensure the information they provide to the employees is personal data. Crucially, organizations should establish online self-service HR systems that allow individuals to access their information digitally. However, such IT infrastructures need proper planning as they may have negative effects on the business. Employers should first examine the reason given for a SAR before accepting or rejecting the request.
GDPR was formulated to protect individuals people from infringement of their privacy. Due to this any efforts made to access information for litigation purposes amounts to an abuse. The data controller, in this case, may not be obligated to comply with the SAR.