Increase in the number of Data Subject Access Requests in the last year.
The General Data Protection Regulation (GDPR) has been in force for almost a year, and what has become apparent is that it is an ongoing obligation requiring regular compliance. Part of that activity has involved managing requests for access topersonal data using data subject access requests (DSAR). Subject access requests regularly arise in the context of a dispute with a disgruntled employee or ex-employee, who will often be only too keen to report the matter to the Information Commissioner’s Office (ICO) if they feel their request has been mishandled.
When an organisation receives a DSAR from a member of staff, ex-employee, or unsuccessful job applicant, it must respond within a month and cannot usually charge a fee for doing so. There are a number of exemptions, but the presumption is generally that the individual should be provided with the personal data that he or she has requested.
Personal data includes statements of opinion or of intent about the data subject, which in the context of an employment relationship, could include unflattering comments made, for example, in interview notes, emails and minutes of meetings. It is a criminal offence to deliberately destroy personal data to thwart a DSAR.
The widespread publicity surrounding the GDPR means that people are more aware of their rights, are more likely to exercise them, and they are more likely to complain to the ICO if their request is not properly dealt with.
Businesses, public authorities and charities must have robust, effective policies and processes in place for dealing with data subjects’ requests and they should ensure that their staff are trained to recognise and manage requests.