With the General Data Protection Regulation (GDPR) (the “Regulation”), which comes into force on May 25, 2018, individuals will benefit from increased rights in terms of their ability to request and access personal data from any entity that holds such data about them. This note will review the changes to the subject access request (“SAR”) regime and provide some advice to employers to ensure they make a GDPR complaint before the upcoming deadline. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an Original EssayWhat is a SAR? SARs are a familiar concept contained in the Data Protection Act 1998. SARs give people the right to find out what personal data is held about them by an organisation, why the organization holds it and to whom their information is disclosed by this organization. However, according to official statistics from the ICO, SAR mismanagement is the most complained about data protection problem by the public. In 2016, 42% of the more than 18,000 data protection complaints lodged with the ICO concerned individuals' right to access their personal data held by organisations. Under the General Data Protection Regulation (GDPR) (the “Regulation”), the regimes for SARs are broadly similar to those we are used to with the DPA. However, there are a number of key differences that employers should be aware of and the ICO has published some initial guidance to explain the key features of the new regime. What happens if employers don't comply? Failure to meet the deadline or provide employees with access to all required data could expose employers to a significant fine. The maximum fine provided for by the GDPR for violations of data subjects is up to 4% of the annual worldwide turnover of the previous financial year or 20,000,000 euros. What does the regulation say? Article 15 of the Regulation Please note: this is just an example. Get a customized document now from our expert writers. Obtain a personalized text Pursuant to Article 15 of the Regulation, the employee (the interested party) has the right to ask his employer (the data controller): Confirmation as to whether or not processing concerning him is in progress , the following information: The purpose of the processing; The categories of data being processed; The recipients or categories of recipients to whom the personal data have been or will be communicated, in particular recipients in third countries or international organizations; The provisions foreseen for the period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period; The existence of the right to ask the data controller to rectify or delete personal data or limit the processing of personal data concerning the data subject or to object to the processing; Right to lodge a complaint with a supervisory authority; If the personal data are not collected from the interested party, any information available on their source; eThe existence of an automated decision-making process, including profiling. If personal data are transferred to a third country or to an international organisation, the interested party has the right to be informed of the appropriate guarantees relating to the transfer; Provide a copy of the personal data stored on the subject. For any further copies requested by the interested party, the data controller may charge a reasonable fee based onadministrative costs. If the interested party submits the request by electronic means, the information is provided in a commonly used electronic format; and• The right to obtain a copy of this data must not adversely affect the rights and freedoms of others. How will the GDPR change the current SAR regime? The right of individuals to access the personal data that organizations hold about them is the key principle of the DPA and will continue to be so under the GDPR. There are, however, a number of key differences employers need to be aware of: Response times Under the GDPR, employers must respond to the SAR “without undue delay and in any case within one month of receiving the request”. This reduces the previous 40 day limit under the DPA. Although the standard response deadline is short, the GDPR allows employers to extend the deadline by up to two months (so three months in total) where requests are particularly "complex or numerous". In this case, the interested party must be contacted within one month of submitting the request and informed of the reason why an extension is necessary. It has been said that determining whether a request will be considered “complex” is likely to depend on the facts and context, but is likely to be extremely useful for employers who have to deal with particularly time-consuming requests. Recital 63 of the GDPR suggests that, where the employer processes a large amount of information about the employee, it should ask the employee to “specify the information or processing activities to which the request relates”. The more the employee narrows down their request, the more difficult it will be to show “complexity”. In any case, the onus is on the data controller to demonstrate that a request is "complex", and the ICO is unlikely to challenge the claim provided the employer can provide good reasons for the delay. Fee Employers can currently charge up to £10 for carrying out a subject access request. According to the regulation, the tariff will be abolished and the information will have to be provided free of charge. This could have a significant impact on some organizations that receive large requests, such as local authority social services departments. However, the ICO guidance explains that a "reasonable" fee may be charged if the request is "manifestly excessive or unfounded, particularly if repetitive". He explains that the fee must be proportionate to the administrative costs incurred in retrieving the information and this undoubtedly means that the level of the fee can vary significantly depending on the scale of the request. “Manifestly unfounded or excessive” requests As well as being able to charge for “manifestly excessive or unfounded” requests, employers can now also outright refuse to respond to unjustified requests. The ICO guidance explains that “you must explain the reason to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. “However, the onus is on employers to demonstrate that the request is “manifestly excessive or unfounded”. It would not be enough to simply say that the effort of searching through a pool of thousands of emails would be disproportionate without taking any steps to isolate them or engaging in a search process. If it transpires that there are significant technical difficulties in retrieving the emails, the employer may begin to move into disproportionate effort territory. In reality the limit for relying on a "manifestly excessive or unfounded" request will be.