Since the General Data Protection Regulation (GDPR) legislation was introduced in May 2018, there has been a marked increase in the number of subject access requests from current and former employees. Some of these are being used as a litigation threat by unhappy/aggrieved employees, and there is no doubt that such requests can take up a huge amount of time by managers/employers in finding and collating data.
So, what should an employer do if you receive a subject access request?
- Put one person in charge of gathering and collating the data required for the request. Give them the time and authority to request all data.
- From receipt of the request, ensure that you are ready to provide all the data within the one-month deadline.
- If the request is linked to a particular issue/grievance/case, negotiate to refine the scope of the search for data to data explicitly linked to this particular issue. This can be really important if you are dealing with an employee or ex-employee with considerable service.
- Review all the data and make sure that it is appropriate and within the scope of the request. You need to be very conscious of not releasing any data that would compromise other employee(s)’s details, and/or compromise security/confidentiality within the organisation.
- Maintain a copy of all documentation provided to the requester.
All employers should be ensuring they have a Data Privacy Policy in place which clearly outlines either within the policy, or as a separate policy, a record retention policy which sets out the maximum retention periods for employee records and the rationale for keeping such records.
Ensure managers and HR fully understand the breadth of a data request and how to manage the process.
We have a team of trained and skilled investigators and consultants who have extensive experience in this area and would be happy to discuss any issue of concern with you. Just email us on info@voltedge.ie or call Ingrid on 01 5252914.
Voltedge Management