During the course of the employment relationship or after the employment relationship has ended, an employer may receive a subject access request from an employee. Employees tend to make a SAR request when they have a grievance.
The law relating to data protection has recently been updated as a result ofthe EU General Data Protection Regulation (GDPR),which was adopted in May 2016 and automatically came into effect in the UK on 25 May 2018.
What is a SAR?
SARs entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.
Why has the law changed?
It is generally accepted that the last few years has seen a growth in peoples’ awareness of their rights, including their right to privacy, and the GDPR seeks to update the law in line with that. This is especially relevant given the awareness of data being held digitally.
What has Changed?
There are a few notable changes to the operation of SARs:
Responding to a Request
The GDPR is aimed at simplifying and easing the process for anyone to obtain the data held on them. As noted above, organisations must now respond more quickly and provide more information than previously. Whether or not you will be handling a large number of requests, it may be beneficial if you organised a GDPR-compliant approach to SARs.
What if an employer fails to comply?
If an employer fails to meet the deadline or provide employees with access to all the data they request they could be exposed to significant penalties.
The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, reprimands, ordering compliance and imposing large fines.
This is the second of three phases of changes to data protection law. The schedule for the changes is:
It is important to note that upon leaving the EU, the UK has currently (provisionally) agreed a transition period in which it will continue to be bound by the GDPR from 30 March 2019 up to 31 December 2020 but unless this is formalised, the UK will become a ‘third country’ for data protection purposes at 11pm on 29 March 2019, and this may bring with it furtherobligations relating to subjects’ data and how it is being stored and/or processed.
For more information about how to comply with the GPDR, SARs please contact us on 0207 868 2868 or email firstname.lastname@example.org.