CYFOR Blog

Organisations need to be aware of the enhanced rights that individuals will have to request and access their data under the General Data Protection Regulation (GDPR).

This blog sets to outline any revisions of Data Subject Access Requests (DSARs) and how organisations can best prepare to comply quickly within the set time limit.

What are Data Subject Access Requests?

Data Subject Access Requests are currently under section 7 of the Data Protection Act 1998. They entitle employees, as “data subjects”, the right to:

• Obtain copies of personal data held by their employer;
• Know why the organisation is holding it;
• Receive information on how their data is stored and processed;
• Know who their information is disclosed to.

When the GDPR comes into effect from the 25^th May, this entitlement will continue as normal. Except companies now have 30 days to comply instead of 40 days.

What is personal data?

“Personal data” is information that relates to a person in their personal, family, business or professional life where the individual is the focus or central theme of the information, rather than some other person or event.

The ICO identifies “personal data” as the following:

• Information processed, or intended to be processed, wholly or partly by automatic means (that is information in electronic form, usually on a computer);
• Information processed in a non-automated manner, which forms part of, or is intended to form part of, a ‘filing system’ (that is, usually paper records in a filing system);
• Information that forms part of an ‘accessible record’ (that is, certain health records, educational records, local authority housing or social services records, regardless of whether the information is processed automatically or is held in a relevant filing system);
• Information held by a public authority.

What constitutes a valid Data Subject Access Request?

For data subject access requests to be valid, it should be made in writing. If a request does not mention the Data Protection Act specifically or even say that it is a subject access request, it is nevertheless valid and should be treated as such if it is clear that the employee is asking for their own personal data. A request is also valid even if the employee has not sent it directly to the person who normally deals with data requests. It is therefore important for an employer to ensure individuals within the business recognise a data subject access request and treat it appropriately.

With regards to the authenticity of a request from a legitimate former employee, an employer should not assume that the person making the request are who they say they are. Employers should verify the identity of the “data subject” and should request a copy of the subject’s passport or driving license. Some requests may come through third parties, such as solicitors. DSARs relate to providing personal data, so employers will need to be satisfied that the request has been authorised by the individual.

Disgruntled employee DSARs

Data Subject Access Requests are relatively straight forward to make but can be significantly time-consuming, expensive and problematic for employers. Their main purpose is to enable an employee to check that their data is being lawfully processed in accordance with the Data Protection Act, and as of 25^th May, the GDPR. However, they can be used as a weapon by a disgruntled employee due to the cost and time implications on a business. They can also be used to gather necessary data prior to legal action engaged by an employee.

What can an individual request?

The ICO code of practice indicates that an individual who makes a written request and pays a fee is entitled to be:

• Told whether any personal data is being processed;
• Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
• Given a copy of the information comprising the data.
• Given details of the source of the data (where this is available).

However, the employee should provide sufficient information on the requested data so that the employer understands what is being requested in order to find it. For example, is the information requested contained in emails, and if so, what was the relevant time period? If the request is not sufficiently clear, the employer can ask for more details to help to locate the requested data.

What if an employer fails to comply with a request?

If an employer fails to comply with a Data Subject Access Request by not meeting the deadline, or by not providing an employee with access to all relevant personal data, then they can incur significant penalties. The Independent Commissioners Office (ICO) has multiple tools available to enforce the GDPR requirements, including:

• Issuing warnings;
• Reprimands;
• Ordering compliance;
• Imposing large fines (up to 4% of annual turnover, or €20m, whichever is bigger).

According to ICO official statistics, the mishandling of data subject access requests is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.

Is there any information that employers do not have to disclose?

There are some documents that employers can legitimately exclude. These exemptions only apply in certain circumstances in relation to the nature of the personal data. Under the GDPR, organisations can withhold personal data if disclosing it would cause prejudice to a part or function of an organisation.

How extensive is the data search?

An employer cannot exclude data on the basis that it may be difficult to access or locate. Extensive efforts are required to locate the information, in a reasonable and proportionate manner. Due to the strict timescales and the potential scope of the data involved, online review platforms are an excellent option to source the specific data quickly and effectively.

What are online review platforms and how can they help?

Online document review platforms are powerful tools that are specifically designed to quickly filter large volumes of electronic data and help streamline the identification of documents. They are typically utilised within the electronic discovery process during litigation and dispute resolution matters. However, if an employer receives a data subject access request that requires them to search through a vast amount of historical data, they become a perfect solution. This could include the analysis of a range of data sources, such as back-up tapes and hard-drives.

As customisable platforms, they enable data to be identified by applying specific keywords and search terms relevant to your request. Therefore, if an employer needs to find all data relating to ‘Joe Bloggs’, this name can be applied as a keyword. The platform will then run an automated process to identify all the information relating to this individual quickly and efficiently. This is invaluable in efforts to ensure that the GDPR timescales are adhered to, no fines are imposed and all data is retrieved.

Another factor is that it enables employers to quickly identify only personal data relating to the employee, excluding non-relevant data, such as documents authored by the employee but not, in fact, personal information. This would not be disclosed by the employer as it relates solely to the business and could contain sensitive company information.

What specific changes will the GDPR introduce?

Response time: Under the new GDPR rules, an employer must respond promptly to a valid data subject access request. The time limit for compliance will change from 40 days to “without undue delay and in any event within one month”. Despite the standard time limit for responding being reduced, the one-month period may be extended by a further two months when complex and numerous requests are involved. During such matters, the employee must be contacted within one month of making their request and informed as to why an extension is required. The ability to extend the time limit will be extremely useful for employers dealing with particularly time-consuming requests.

Fee: Under current data protection law, businesses can charge a £10 fee for responding to a DSAR. However, under GDPR, a copy of the information will need to be provided free of charge, unless the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ In this scenario, the ICO guidance explains that employers may charge a ‘reasonable’ fee.

What steps can employers take to prepare themselves?

There are a number of steps employers can take to ensure they are prepared for the GDPR changes and any data subject access requests:

• Review and update internal policies and procedures to reflect the wider GDPR requirements, making sure staff are aware of them;
• Outline a process for handling Subject Access Requests, which may include how to identify what constitutes personal data, what is third party data and what obligations the organisation must now fulfil to ensure it is compliant;
• Staff training to identify a subject access request from an employee and how to respond appropriately and efficiently;
• Identify and monitor all systems where personal data is held, which is in line with the new GDPR obligation to keep records of processing activities (Article 30). This covers hardcopy documents as well as electronically stored information (ESI);
• Update internal IT systems to allow for the deletion and transfer of personal data. This helps ensure that data pertaining to an individual can be quickly isolated;
• Prepare templated response letters to ensure an efficient, standardised response and that all elements of data subject access requests are adhered to, in-line with the new GDPR requirements.

How can CYFOR assist in the event of Data Subject Access Requests?

Recognised as industry experts within Digital Forensics and Electronic Discovery, CYFOR has the necessary expertise to assist organisations dealing with data subject access requests. We have at our disposal specialised online document review platforms that are perfectly designed to search, filter and analyse large volumes of electronic data for subject access requests.

We can also provide a data flow map, which is designed to help you understand the general flow of personal data through your business, allowing you to improve efficiency in DSAR and GDPR compliance.