Individuals have the right to ask for a copy of their personal information processed by an organisation. This is known as a ‘subject access request’. The rules for dealing with subject access requests will change under the GDPR with some of the better known administrative provisions being abolished.
Firstly, the £10 fee employers have previously been able to charge for responding to a request is going unless the request is ‘manifestly unfounded or excessive’. It seems unlikely that this will have a significant impact on the number of requests being made - where an employee who was in dispute with their employer made a subject access request, the level of fee was unlikely to have been a barrier.
The timescale for responding is also changing. Organisations will only have a month to comply from the date of receipt of the request compared to the 40 days allowed under the current regime. Where requests are complex or numerous, organisations will be able to extend the period of compliance by a further two months. If this is the case the individual must be informed within one month of the receipt of the request and an explanation given as to why the extension is necessary.
The GDPR allows organisations to request that the individual clarifies what specific information the subject access request relates to where large quantities of personal data are relevant. It is not yet clear whether such a request will delay the start of the timescale for supplying the information from starting, something which can be done under the existing regime. This matter may be addressed in the Data Protection Bill which is currently before Parliament and which is intended to come into force on 25 May concurrently with the GDPR
New rules also apply to the format of responses. If a request is made by electronic means the employer will have to provide a response in electronic form too (unless the individual making the request indicates otherwise).
Finally, there will be different grounds for refusing to comply with a subject access request and manifestly unfounded or excessive requests can be charged for or refused. The charge must be reasonable taking into account the administration costs. At the moment there is little guidance on what will equate to a manifestly unfounded or excessive request although it may cover multiple requests for the same information. The expectation though is that it will only apply in limited circumstances.
For our guide on how to tackle GDPR see - Welcome to GDPR - How to tackle the changes in 10 steps. See also our webpage with additional information - Data Protection and GDPR.