Subject access requests will add an additional admin burden onto busy HR teams, warns CIPHR expert
Nearly a quarter (24%) of people plan to ask their former, current or potential employers for access to the personal data held about them once the General Data Protection Regulation (GDPR) comes into force, according to a new survey by Veritas Technologies.
Under the terms of the GDPR – which comes into effect on 25 May 2018 – individuals can ask any organisation that holds their personal data for a full copy of the information being held about them, and the organisation must provide it free of charge within 30 days. Before 25 May 2018, subject access requests (SARs) cost £10 each and companies had 40 days to comply.
“That £10 fee used to put off quite a few people from putting in the request, so I expect the number that organisations will receive to increase quite significantly,” Sarah Dillon, director at ESP Law, told CIPHR earlier this year.
Employers have a right to turn down requests that are too ‘complex’, but there’s currently no legal definition of what that means, added Dillon. “Under the old regime, [you] could say: ‘that’s an unreasonable request, you need to refine the scope of your search’. That’s not going to be as clear under the GDPR.”
“Even if you receive only a handful of SARs a month, the time to satisfy them will quickly add up”
In organisations without a large IT department or specialist GDPR team, compliance with SARs from former, current or potential employees will likely fall on HR team said Claire Williams, senior HR systems consultant and data protection officer at CIPHR.
“Even if you receive only a handful of SARs a month, the time to satisfy them will quickly add up, putting an additional burden on already busy HR teams – particularly if you are storing sensitive employee information in a paper- or Excel-based filing system,” said Williams. “One simple way to speed up compliance is to put in place a comprehensive digital HR system, such as CIPHR, that securely stores employee data, meaning you can download the relevant HR information quickly and easily.”
Employers need to think about data relating to job applicants too, added Williams. “If you are using a system of email mailboxes, how easy will it be to retrieve the relevant information? Opting to use an online applicant tracking system (ATS) such as CIPHR iRecruit means you can make the information available to the applicant with a click of a button, and they can download it securely via the applicant portal.”
The survey by Vertias also found that many consumers don’t expect organisations to be able to carry out SARs adequately. Nearly four-fifths (79%) of the 3,000 respondents said they believe that organisations won’t be able to find all the personal data that is held about them. A further fifth (20%) said they expect organisations will only be able to find up to 50% of the personal data that they hold.
“It’s imperative that businesses embrace technology that can help them respond to these requests quickly, with a high degree of accuracy,” said Mike Palmer, executive vice president and chief product officer at Vertias. “This means having the ability to see, protect and access all of the personal data they hold regardless of where it sits within their organisation. Businesses that fail to recognise the importance of responding effectively and efficiently to personal data requests will be putting their brand loyalty and reputation at stake.”
Read this next
New regulations will prompt cultural changes in HR’s attitudes towards collecting and protecting sensitive employee data, experts argue