The right for individuals, including employees, to access their own personal data which is held by their employers is a fundamental principle of the current data protection regulation. This tenet will continue to be important under the new GDPR. The Subject Access Right (SAR) entitles a user, in this case an employee, to ask the employer what kind of personal data they hold, whether it is being processed, the purpose of processing, as well as to whom the data is disclosed. They can also ask for copies of same.
In practice, employers receive increased requests for personal information when there is a dispute. Under GDPR, individuals can request personal data for free except if the request is manifestly unfounded. This change is likely to increase the number of requests that human resources and small business will receive in future. HR will, therefore, have to be diligent when responding to SARs. This is because employees have a right to their personal information and its violation may cause an organization substantial financial loss.
The changes that will be introduced with GDPR will have a significant impact on the human resources. Beginning on May 25 2018, the employer must respond to SARs within one month from the receipt of the request. This is different from the current forty days under DPA. This implies that HR will have a shorter time to sort out the requests. This creates a need for early preparations to ensure compliance with the reduced time frame. However, if the request is complex, companies can have two months more to meet it.
Employers will no longer charge anything for processing requests for personal information. This could have significant implications in terms of administrative costs if many requests are received. HR is advised to narrow the scope with the employee concerning what they want before dismissing the request as manifestly unfounded or excessive. They should also ensure that the information they provide to the employees is personal data. Most importantly, organizations should put in place online self-service HR systems that enable individuals to access their information online. However, such systems require proper planning as they may have negative impacts on the business.
Employers will need to first determine the reason for SAR before accepting or rejecting the request. GDPR is designed to protect people from infringement of their privacy. Consequently, any attempt to obtain information for litigation purposes amounts to an abuse. The data controller, in this case, may not be obliged to comply.