Research by law firm Squire Patton Boggs has revealed (one year on from the introduction of GDPR) that companies are facing cost pressures from a large number of subject access requests (SARs) coming from their own employees.
A subject access request, which is a legal right for everyone in the UK, is where an individual can ask a company or organisation, verbally or in writing, to confirm whether they are processing their personal data and, if so, can ask the company or organisation for a copy of that data e.g. paper copy or spreadsheet. With a SAR, individuals have the legal right to know the specific purpose of any processing of their data, what type of data is being processed and who the recipients of that processed data are, how long that data is stored, how the data was obtained from them in the first place, and how that processed and stored data is being safeguarded.
Under the old 1998 Data Protection Act, companies and organisations could charge £10 for each SAR, but under GDPR individuals can make requests for free. However, companies and organisations can charge “reasonable fees” if requests are unfounded, excessive (in scope), or where additional copies of data are requested to the original request.
Big rise in SARs from own employees = rise in costs
The Squire Patton Boggs research shows that 71% of organisations have seen an increase in the number of their own employees making official requests for personal information held and 67% of those organisations have reported an increase in their level of expenditure in trying to fulfil those requests.
The reason for the increased costs of handling the SARs can be illustrated by the 20% of companies surveyed who said they had to adopt new software to cope with the requests, the 27% of companies who said they had hired staff specifically to deal with the higher volume of SARs and the 83% of organisation that have been forced to implement new guidelines and procedures to help manage the situation.
Why more requests from employees?
It is thought that much of the rise in the volume of SARs from employees may be connected to situations where there are workplace disputes and grievances and where employees involved feel they need to use the mechanisms and regulations in place to help themselves or hurt the company.
What does this mean for your business?
This story is another reminder of how the changes made to data protection in the UK with the introduction of GDPR, the shift in responsibility towards companies and the widespread knowledge about GDPR can impact upon the costs and workload of a company with SARs. It is a reminder also, that companies need to have a system and clear policies and procedures in place that enables them to respond quickly and in a compliant way to such requests, whoever they are from.
The research has highlighted an interesting and perhaps surprising and unexpected reason for the rise in the volume of SARs and that there may be a need for more guidance from the ICO about employee SARs.