The GDPR comes in to force on 25th May 2018. So, what will change?
- Time Limits to respond to a Subject Access Request (‘SAR’) – currently you have 40 calendar days to respond to a SAR, under the GDPR you must respond and provide copies of the data without undue delay and at the latest within one month of receipt.
- Fee for SAR – currently you can charge £10 for a SAR but under the GDPR this will be abolished so in most cases you will need to respond free of change (unless the request is excessive, complex and in such cases, you can charge a reasonable fee for your administrative costs).
- Format of response – unless the employee otherwise requests you will need to respond to an SAR in a commonly used electronic format, email.
- Exemptions – unlike the Data Protection Act (‘DPA’), the GDPR contains no list of exemptions which you can rely on to refuse an SAR. However, the Government has the power to enact exemptions and so will quite possibly enact the same ones as under the DPA.
- Enhanced employee rights, specifically employees will have the:
- Right to be informed;
- Right of access (SARs);
- Right to rectify inaccurate or incomplete personal data;
- Right to erase personal data;
- Right to restrict process of data;
- Right to data proportionality;
- Right to object to data processing.
For more detailed and specific advice on how the GDPR will affect your business, please contact Jake on 01564 739 103 or firstname.lastname@example.org.