GDPR right of access: new guidance

Under the General Data Protection Regulation (GDPR), individuals have the right to a copy of the personal data that your organisation holds about them. This is often known as a subject access request (SAR). The Information Commissioner’s Office (ICO) has recently issued new guidance for businesses and employers about how SARs should be dealt with.

The law

Employers must respond to a SAR from a worker without delay, and within one month from receiving the request. If it’s a complex issue, you might be able to extend this for up to two months. But if you don’t respond within the right timeframe, or at all, there’s the possibility of fines or reprimand from the ICO.

In the ICO’s own words: ‘The right of individuals to access information that organisations hold on them is one that is vital for transparency and is enshrined in law. What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests.’

Getting it right

In practice, though, what does compliance look like? It might sound straightforward, but reality doesn’t always fit text-book scenarios.

To help your staff recognise a request, they need to know that SARs can be made in all sorts of ways: there’s no formal procedure needed. Contact can be verbal, in writing – even via social media. Questions as simple as ‘what information do you hold on me?’ or ‘can I have a copy of the notes from my last appraisal?’ count as SARs and need an appropriate response. There’s no necessity even to use the words ‘subject access request’ – it’s up to your organisation to identify that this is what is being made.

It's important, too, that staff know how to respond and who to pass the request to. A valid request can be made by means of contact with any part of your organisation: it doesn’t have to be addressed to a specific person. But the employer’s side of the equation is different, and the ICO does expect you to have a designated person, team and email address to deal with SARs.

With more than 15,000 complaints in this area made to the ICO last year, it’s important that businesses and employers get it right. Further details can be found on the ICO website.

Got a question?

Why not fill out our quick contact form below and a member of the team will respond shortly.

Receive our FREE monthly eNEWS, keeping you up to date with the latest news.

Registration on our website is quick and simple. On registration you will benefit from:

  • Our FREE monthly eNEWS email newsletter which will keep you up to date with the latest news (this service is optional)
  • On registration we'll email FREE resources to you with our compliments.

You only have to register once. You will be given a username and password that you can use at any time to log back into our website.

Register here