GDPR Compliance for US Companies
Employers need to be aware of the enhanced rights employees have to request and access data under the General Data Protection Regulation (‘GDPR’).
On 25 May 2018, a new Subject Access Request (‘SAR’) regime came into force. This blog sets out the key changes employers need to be aware of and provides some practical tips to ensure you are best prepared to deal with SARs once the GDPR is in place.
SARs are a familiar concept, currently found in the Data Protection Act 1998 (‘DPA’). They entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation. This right will continue under the GDPR.
According to the ICO’s own official statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.
A failure to meet the deadline or provide employees with access to all the data they request could expose employers to significant penalties.
The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, reprimands, ordering compliance and imposing large fines.
Please see our previous blog The £17 million Question - What will the ICO’s enforcement powers be under the GDPR, and how will they be used? for more detailed information about potential sanctions for breaches of the GDPR.
The right for individuals to gain access to personal data that organisations hold about them is the key principle of the DPA and will continue to be so under the GDPR. There are, however, a number of key differences employers must be mindful of:
Under the GDPR, employers must respond to a SAR ‘without undue delay and in any event within one month of receipt of the request.’ This shortens the previous 40 day limit under the DPA.
Despite the standard time limit for responding being reduced, the GDPR allows employers to extend the deadline by up to two months (so up to three months in total) where requests are particularly ‘complex or numerous.’ If this is the case, the data subject must be contacted within one month of making their request and informed why an extension is necessary.
The ability to extend the time limit will be extremely useful for employers dealing with particularly time-consuming requests. The burden of determining whether a request will be considered ‘complex’ is on the employer. Provided employers can evidence good reasons for the delay, it is generally considered unlikely that the ICO will challenge employers on this point, but this remains to be seen.
Employers should also look to the GDPR recitals, which helpfully provide practical guidance on the application of the new rules. Recital 63 suggests that where the employer processes a large quantity of information about the employee, they should ask the employee to ‘specify the information or processing activities to which the request relates’. However, the more the employee narrows down their request, the harder it will be to show ‘complexity’.
Employers can currently charge up to £10 for carrying out a SAR. In practice, for employers the £10 charge rarely covers the cost of complying with a SAR, particularly where the request is complex and collating the information is especially time consuming.
Under the GDPR, the fee will be scrapped and the information must be provided free of charge, which may initially seem burdensome for employers. However, the ICO guidance explains that employers may charge a ‘reasonable’ fee if the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ It explains that the fee must be on the basis of the administrative costs involved of retrieving the information and will no doubt mean that the level of fee can vary significantly depending on the remit of the request.
In addition to being able to charge for ‘manifestly excessive or unfounded’ requests, employers may now also refuse to respond to unwarranted requests. The ICO guidance explains that ‘you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.’
Nevertheless, determining whether the request is ‘manifestly excessive or unfounded’ is up to the employer. It would not be enough to simply say that the effort to search a pool of thousands of emails would be disproportionate without taking any steps to isolate the information or engage with a process of searching them. If it transpires that there are significant technical difficulties in recovering the information, then the employer may begin to move into the territory of showing the request is ‘manifestly excessive’. The bar for relying on this excuse is likely to be clarified by the courts in time. However, it is expected to be hard to overcome.
From the 25 May 2018, it must be possible for employees to make SARs electronically. Where the request is made electronically, the information should be provided in a commonly used electronic form, unless otherwise requested by the individual.
The ICO also used its revised code on SARs to confirm that ‘individuals may make a SAR using any Facebook page or Twitter account your organisation has, other social-media sites to which it subscribes, or possibly via third-party websites organisations’. It said that organisations can steer people to submitting SARs through a particular communications channel, but ‘may not insist on the use of a particular means of delivery for a SAR’.
The ICO said, however, that organisations are entitled to ask requesters to confirm their identity and that they can, in some cases, respond to SARs submitted via social media using other communications channels.
This is unlikely to have much of an impact in an employment context but it is important that the relevant staff are mindful of this change. Staff should be able to recognise a SAR, even when it is delivered through an alternative communication channel.
Under the GDPR, organisations can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others.’ It will be up to the UK government to introduce any further exemptions to SARs such as for national security, defence and public security.
The DPA currently sets out a number of exemptions which allow information to be withheld from data subjects in circumstances in which it would otherwise need to be disclosed.
Current exemptions which are relevant for employers include:
There is no such list of exemptions set out under the GDPR. However, Article 23 allows national governments to introduce exemptions to various provisions in GDPR, including SARs, by way of national legislation based on a list set out in that article. This list contains the same categories as in the DPA e.g. national security, crime prevention, regulatory functions etc.
Recital 63 of the GDPR also notes that exemptions could extend to the protection of intellectual property rights and trade secrets.
The government has stated that its objective is to ‘preserve the effect of the exemptions in the DPA to the extent permitted under the GDPR’. Therefore, it is expected that the current exemptions set out above will continue to apply.
As an employer, there are numerous actions you can take to ensure you are ready for the changes. Below are a number of suggestions we recommend considering:
Important note - Since this blog was published, the General Data Protection Regulation (‘GDPR’) has come into force and the content of this blog has not been updated to reflect the new regime.
Should you have any GDPR or data protection queries, please contact our data protection team.
Skip to content Home About Us Insights Services Contact Accessibility