Wednesday, 25 October 2017
On May 28th, 2018,the data protection regime across the EU (including the UK) will change.The General Data Protection Regulation (GDPR ) will replace the provisions of the Data Protection Act 1998.(DPA).
The GDPR preserves the rights provided under the current law and also provides new rights and enhanced protection for individuals. Failure to comply with the provisions of the GDPR may lead to greatly increased monetary sanctions,so it is critical that any organisations processing personal data are aware of the changes.
This data could include personnel records, metadata on computers and servers,CCTV, call logs, electronic premises access records, health and safety reports and any other electronic records or filing systems used within an organisation.
In addition, individuals will have a right to rectification of personal data being processed inaccurately by an organisation,and the right to data portability, essentially giving an individual the ability to have a copy of their personal data in a commonly used and machine-readable format.
Perhaps the most prominent and commonly used right under the DPA is subject access and this is changing under the GDPR. Organisations need to be aware of the changes and how to prepare for subject access requests under GDPR.
The GDPR defines personal data as "any information relating to a data subject" and a data subject as an identified or identifiable living person to whom personal data relates. Organisations must consider how to identify individuals, in particular employees.
Names clearly identify a person, but so may an email address, payroll number and computer login details. Careful consideration will need to be given to any other aspects of an organisation's operation that uses alternative designations (through coding or shorthand) to identify an individual.
Perhaps the biggest change to the subject access regime will be the time allowed for compliance. Less time will be available to organisations in order to comply with a subject access request. The current regime allows for 40 calendar days, but the GDPR will reduce this to one month.
Organisations may, however, be able to seek an extension of up to a maximum of two further months in cases of complex or numerous requests from an individual. If an organisation seeks an extension, it must notify the requester within one month of receiving the original request and set out why the extension is necessary. Any explanation will need to be sufficiently detailed in order to justify the request. It may be that the normal period of compliance will by default be stretched to three months in an employment context.
However, you will also need to provide additional information to employees requesting access to their data.This includes the envisaged period of storage and information about the data subject's rights.
Organisations should exercise their right,where legitimate, to ask the requester to specify the information relating to the request. This request will not pause the time for complying but it may be of particular use to those organisations that process large amounts of personal data, bringing the search into focus.
But why should the DGPR land in HR's in-tray? Surely data protection is the domain of your risk management team or the technical experts who monitor your systems?
Remember that abdicating responsibility for the GDPR would be a risky approach, as the new rules implement changes which will directly impact on the every day work of HR practitioners. Also important, the key concerns for departments handling employee data may be very different than for departments managing your organisation's interface with client and customer.
Deciding whether a request is "manifestly unfounded or excessive" will depend on individual facts and organisations should seek legal advice before making a determination.