It’s over two months since the GDPR came into force across the EU and the rise in Subject Access Requests (SARs) continues as predicted. Many of these, not surprisingly, are requests from former employees. Whatever the reason they’re now former, they do have the right to know the personal information your company holds about them so there’s no getting away from the need to respond and respond in full. This is where the problem starts.
No doubt you’ll have a personnel file for the employee, and financial records of their pay and benefits; this is the easy part as it’ll be filed, indexed and easily retrievable. But what about emails, minutes of meetings and other more esoteric records? These are likely to contain the “hidden gold” the ex-employee is looking for and they may suspect or even know about them already, so not making them available is tantamount to shooting yourself in the compliance foot.
Furthermore, the time and effort to track these down, review the content, identify other data subjects mentioned and either seek their consent for release or redact their details, can be significant.
For anyone already in this predicament, hindsight is a wonderful but not necessarily useful thing and by now they’ll have either avoided or fallen into the many pitfalls the situation presents. But for those who’ve not received such a SAR there are actions you should be taking now to avoid any issues.
If you’ve not already done so, conduct a personal data inventory. Remember to dive deep in this area, ask all your people managers where they keep information on their staff. Add the results to your Records of Processing (what’s that? Check out Article 30 of the GDPR, this is your bible of what you do, the where and why for personal data) and from there you can assess the size of any problem.
Check your personal data retention policy (you do have one, right?). Does it cover all types of personal information you hold on staff? Are the retention periods too long? Some organisations will keep staff data forever just in case that person applies for another job there many years later.
Look into any regulatory requirements, otherwise consider setting a maximum of six years so you’re able to respond to legal claims up to the time limit under the UK Limitations Act 1980; but don’t take this as pro bono legal advice, speak to your legal team and bear in mind in many cases a much shorter retention period will be more than adequate. Remember the GDPR principle of storage limitation, don’t keep it any longer than you need to. However, be aware retrospectively applying a retention limit to avoid providing information is not allowed, what’s there when the SAR arrives has to match what’s provided. This should add impetus to the need for progress on actioning this activity.
Manage the personal data. While email is a great tool for communication it’s not so hot as a searchable storage system, although as it does work like one at a push, it’s not exempt from the GDPR. Should email be the place to keep information others may need to access in a hurry? Doubtful. Instead, look at a system you can move those emails to which not only helps you to locate what you need quickly and easily but also enables you to tighten down the access control; for example, if it relates to a personnel issue restrict it to HR. This will help you to meet the requirements of another of the GDPR principles: integrity and confidentiality.
Once you’ve taken these steps – and conducted a few ad-hoc tests to make sure the process has worked – you’ll be in a much more comfortable place when the almost inevitable SAR lands in someone’s inbox. Which brings me to my final action point: don’t just wait until it happens and then work out what you should be doing, take the pro-active approach and have your response procedures documented, agreed and tested in advance; there’s no room for complacency as this is not going to go away.