Subject Access Request

  • GDPR AND HR

    From the 25th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.

    This means employer’s must:

  • HR and GDPR The General Data Protection Regulation (GDPR) was enforced on the 25th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

     Employers should maintain focus on the following factors:

  •  

    GDPR Data Processor

    Does a data processor need to be informed when a data controller deletes data?

    A Data Processor only needs to be informed if the Data Controller is in need of support, in regard to undertaking the right to be forgotten. Although, it is important for a data controller to define the relationship with the data processor, in order to understand the dynamics between the two.  It is also seen as good practice to allow the controller to gain access to deleted records through a Subject Access Request that the controller has obtained. If a Data Processor retains copy records as well as back up records, they must be deleted if requested by the Controller. 

    The deletion process can be difficult to carry out efficiently, although it is an essential process, according to GDPR, all the subject’s data must be deleted and backed up again, which is a lengthy but essential process.

  • Subject Access Request and Confidential References

    A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

    There has been some debate on what must be included in an SAR:

    Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

  • Subject Access Request outside of the EU

    On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

    So, the question is whether data processors need to address the Subject Access Request without the controller or not?

  •  Technical Initiatives to stay privacy safe

    Data protection is a term to over-arch the mitigation against failures in protection (confidentiality), accuracy (integrity) and access (availability) that can cause an impact to data subjects and ultimately, your business. Compliance is about the governance of the GDPR, and non-technical measures to adopt and adapt.

     Risk-assessments enable the decision-makers consider everything from contractors leaving with passwords and insider-knowledge and lead to changes in technology, anonymisation of databases, deletion of old, unnecessary records, role-based access to customer data and so on. 

    But what about technical support and access to customer data, particularly when required on a large-scale? What measures are available to manage, minimize and control this?

  •  Right to be forgotten

    Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

    Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

  •  

    Top ten GDPR priorities

    1. Manage expectations - GDPR ‘compliance’ is a matter of constant review, adoption of policies and adaption of processes. Plan, develop and sustain.

     

    2. Continued awareness and training for staff.

     

    3. Update your privacy policy, consent capture and recording.

Make a free enquiry, call now

0151 659 1070




Please let us know your name.



Please enter a valid telephone number



Please let us know your email address.



Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.




How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070