You may remember that we released a suite of General Data Protection Regulation (GDPR) compliance documentation in January to assist clients in their preparations for the introduction of the new EU data protection regime on 25th May 2018. In case you missed it, our guidance notes, style policies, style clauses and style data audit record are all available on the client area of our website.
We have also prepared a number of new documents designed to assist with responses to requests from employees to exercise their data subject rights after May. As well as making a number of changes to the existing right to access personal data by making a data subject access request (DSAR), the GDPR introduces a range of new rights, such as the right of erasure (known as the “right to be forgotten”). Not only is it no longer possible (in the vast majority of cases) to charge a fee for complying with a request, the timescales for response have now been shortened from 40 days to one month.
It is impossible to predict with certainty whether employers will face an increase in requests after the GDPR comes into force, but one estimate from the Ministry of Justice suggests that there could be a rise of between 25 and 40%. It is certainly likely that there will be increased media reporting of data subject rights in May, and it is therefore sensible for employers to plan ahead now to ensure that they understand their rights and obligations and have appropriate documents and procedures in place.
We’ve produced a guide to handling DSARs together with a guide on how to identify personal data, coupled this with style response letters. We’ve also produced data subject rights forms which can be used to assist employees in focussing their requests in a reasonable way, thereby reducing the administrative burden of responding to requests. If you do not currently have formal procedures in place to deal with DSARs (and other data subject rights), it is worthwhile implementing a policy, and you will find a style policy among our new documents.
In addition to data subject rights documentation, we have prepared a standalone data processing consent form and updated our medical report consent form to be GDPR compliant. Our main GDPR guide has also been updated to refer to the new documentation.
If you have any questions about how to implement the documentation in your organisation, don’t hesitate to get in touch with your named Employment Solicitor or HR Consultant.