Subject access requests under the GDPR: much ado about nothing?

Published 5 December 2017

There is no denying that the General Data Protection Regulation ("GDPR") will have far reaching consequences for how data is processed but, within the employment context, is the hype really justified?

For instance, how will the data subject access request ("DSAR") regime change under GDPR and how will this impact employers?

Abolition of £10 fee

Under GDPR, employers will no longer be able to charge the maximum £10 fee for responding to a DSAR. A lot has been made of this change, with the Ministry of Justice's initial impact assessment suggesting that this could potentially lead to a rise of between 25% - 40% in the number of DSARs made each year. While some increase in DSARs is likely given all the publicity around GDPR and the increased awareness of individuals' rights, we do not expect the removal of the fee will lead to a significant increase in the number of DSARs raised by current or former employees. This is for two reasons.

• Firstly, many employers do not currently charge the £10 fee to employees either on policy grounds or, as more often than not, as the cost of cashing a cheque is more than the fee charged.
• Secondly, given that employees typically make a DSAR when they are in dispute with their employer, the reasons for making the DSAR (i.e. the potential value of the employee's claim and the benefit to the employee of obtaining early disclosure and/or putting the employer to early costs) mean that the fee does not act as any form of deterrent.

We therefore do not expect employers will see a significant increase in the number of DSARs they receive from their employees and former employees as a result of the abolition of the maximum £10 fee.

Clarifying the scope of the request

Under the current regime, an employer is entitled to request further information from an individual in order to locate the personal data being sought as part of a DSAR. One practical benefit of seeking further information is that the time limit for responding to the DSAR does not run until the individual provides any information reasonably required by the employer to locate the personal data.

This right is not expressly replicated under GDPR, although there is a similar provision within one of the recitals to GDPR which suggests that an employer should be able to request that an individual specify the data sought where the employer processes a large quantity of information about that individual. While this is not a complete answer for employers, it is hoped that the position will be clarified in the Data Protection Bill ("the Bill") currently being debated in Parliament, although an amendment would need to be made to the current draft of the Bill to do so. Assuming this point is addressed in the Bill, the commencement of the time limit for responding to a DSAR under GDPR should be delayed until the relevant information has been supplied, as applies under the current regime.

Deadline for responding to a DSAR

Under GDPR the longstop date for complying with a DSAR is being reduced from 40 days to one month. However, an employer may extend this deadline by up to two months if the requests are complex or numerous.

On one hand, the reduction in the standard time period for responding to one month is unwelcome news for employers. Conversely, the ability to extend the timeframe for compliance to a total of three months if the request is particularly complex or numerous will prove extremely useful for employers where responding to the DSAR involves the time-consuming exercise of retrieving data from archives (in particular e-mails), and de-duplicating and filtering this data in order to respond. We do not expect the ICO will be interested in challenging an employer's assertion around the difficulties of responding within one month provided the employer puts forward good reasons. This three month delay in receiving a response may also deter individuals from using DSARs to attempt to gain advance disclosure in the context of some wider dispute as the time-saving may prove nominal.

In cases where an employer wants to take advantage of the three month period, it should write to the individual within one month of receipt of the DSAR to explain (in some detail) the difficulties in responding and noting that the response will therefore be delivered within three months of receipt.

Format of response

Under GDPR if an individual makes a DSAR by electronic means, the employer must provide its response in electronic form too (unless otherwise requested by the individual). While this may sound like a material change, in practice this can simply involve providing pdf copies of the documents containing the individual's personal data via e-mail or an encrypted hard drive, as opposed to hard copies.

There is a suggestion in one of the recitals to GDPR that the response to the DSAR should be made available to the individual via a secure online system. This is not a strict requirement, and unless the ICO comes out with detailed guidance recommending such a course of action, we consider that there will be limited uptake of this suggestion.

Processing information to be provided

Under GDPR an employer will need to provide more extensive information about the processing of the individual's data when responding to a DSAR, however, all the relevant information should already be within the employee privacy notice. Accordingly, this enhanced requirement should not result in any increased burden on the employer as the information can simply be lifted from the notice.

Manifestly unfounded or excessive requests

Under GDPR, an employer may either charge a reasonable fee (taking into account its administrative costs) or refuse to respond where a request is manifestly unfounded or excessive. There is little guidance as to what this means within GDPR or the Bill, save that it may cover repeated requests for the same information. We therefore await detailed guidance from the ICO. However, given the ICO's current stance on data subject access rights, this exception is likely to be very narrowly defined and therefore of limited benefit to employers.

Should employers be concerned?

In our experience, responding to DSARs is a time consuming and labour intensive exercise. This will remain the case under GDPR. While there will be some practical differences in how responses are provided (e.g. in terms of format, cover letter etc.), an employer who has appropriate systems and procedures in place to deal with DSARs under the current regime will not need to radically rethink their approach once GDPR comes into force next May. However, for those employers who struggle to comply with the current regime, GDPR should act as a prompt to get their house in order sooner rather than later.