“What you looking at?” Will subject access rights become the Vogue under the GDPR?
What changes will there be to the current regime?
Based on what we know for now, the GDPR subject access request (“SAR”) process will be similar to that under the current regime. The key changes taking effect from May 2018 are:
- The time to respond to a SAR will be reduced from 40 days to one month. If a request is complex then there is a possibility to extend the time period.
- Organisations will no longer be able to charge a fee to comply with a SAR under the GDPR, unless the request is “manifestly unfounded or excessive”.
- Any response to a SAR should allow the individual to easily identify what information is held on them and what processing has been carried out.
- A SAR may be made electronically, e.g., via email, and responses may also be provided in the same manner.
The obligation to respond to a SAR will still lie with the data controller.
What impact will these changes have on a data controller?
For organisations that do not deal with many SARs, the impact may well be limited; but where an organisation sees a large number of SARs, it most notably will need to be prepared to respond more quickly and at its own cost.
With that in mind, a GDPR-regulated organisation should consider:
- Reviewing its SAR policies (both internal and external facing) and making any relevant adjustments.
- Developing template response letters to streamline its process for responding to SARs.
- Training employees on the new GDPR requirements and the organisation’s updated SAR process.
SARs arising from a pre-employment background screens
Being background screened on the way to a new job can be a sensitive time for a candidate. Candidates may, for example, worry about the scope of processing undertaken, how long data is held for and by whom, and the results of their background screening. All of these factors may lead a candidate to make a SAR.
How can a background screening provider support a data controller in responding to a SAR?
In many cases the initial contact from a candidate to request sight of their screening report comes in directly to the background screening provider, the data processor. However, the data processor is not independently empowered to respond to the SAR.
So there are a number of things that the background screening company can do to balance its desire to be responsive to candidates and supportive of its clients in the SAR process:
- At the very start of the screening process the data processor can have in place clear information notices which will inform the candidate of:
- The candidate’s rights under the GDPR.
- Confirmation as to the purpose, location, extent and duration of any data processing.
- Confirmation as to the data retention period.
- The data processor should segregate personal data by (i) data controller; and (ii) reference number pertaining to a candidate: this will help ensure that information can be identified quickly and easily.
- The data processor can develop a policy to respond to any misdirected SAR, which may include:
- Pro-forma response to be sent either by post or email (depending on how the SAR has been submitted) to the candidate confirming where the SAR should be directed.
- Training of all staff to communicate to any candidate how a SAR process works.
- FAQ section on the processor’s website relating to SARs.
- Agreement with the data controller regarding responding to a SAR; e.g.:
- Contractual provisions with the data controller regarding how an SAR should be handled: consider the data controller pre-authorising the release of a candidate report upon SAR, or,
- Immediate communication to data controller to inform them of the SAR and to request instructions on release of a candidate report.
HireRight has policies and systems in place to deal with candidate SARs, and will continue to work with its clients to ensure that under the GDPR a candidate receives a timely and supported response to any requests made.