Keeping searches manageable
The General Data Protection Regulation (GDPR) is not concerned with the motivation of the employee to make the request unless it is ‘manifestly unfounded or excessive’. Employees are becoming more aware of the legislation moving forward which is likely to increase the rate of requests, particularly as it can be instigated with a simple communication to the employer from the employee.
An initial search can throw up thousands of items of data held about an employee, producing an overwhelming workload to satisfy the SAR.Employers were afforded some respite in the final throws of the Data Protection Act 1998 when it was clarified in Dawson-Damer v Taylor Wessing LLP (among other cases) that data should be supplied as long as the search would not involve ‘disproportionate effort’. This implied an obligation to perform a ‘reasonable and proportionate search’ and NOT an obligation to ‘leave no stone unturned’.
SAR under GDPR
The SAR sections of the GDPR or the DPA 2018 however, make no reference to the ‘disproportionate effort’ that should be applied, which on the face of it implies no limitation on the scope of the SAR and the potential size of the workload.
To mitigate this, employers controlling large amounts of data about employees are able to utilise Recital 63 of the GDPR, requiring the employee to further specify additional information as well as guidance as to what matter the SAR relates. This allows the employer to regain some control of the workload when completing the SAR.
Further guidance from the Information Commissioner’s Office (“ICO”) provides that the search should commence following receipt of additional information; if the employee fails to clarify the request then a ‘reasonable search’ should be carried out to satisfy the SAR (it should be noted that a search must not be narrowed or limited due to any cost implications this may have for the employer).
Although it is likely that future courts would take a general view of proportionality, this is yet to be tested and therefore employers should err on the side of ‘over-searching’ when conducting SARs for employees.
How you can prepare for SARs
Employers can prepare for an SAR by having a policy and procedure in place to act, which also notes the contact list of people likely to be involved in completing the task.
Engage openly with the employee to narrow the scope of the request and then act quickly to ensure the request is satisfied within the deadline – usually one month.
Employers should know where to look technologically for the data required (including backups) and be sensitive to the protection of third-party data. The whole process should be documented thoroughly in the event that the employee feels compelled to challenge the satisfactory completion of the SAR either by complaining to the ICO or applying to the courts for a compliance order.
How The People Department can support you to prepare for an SAR
If you require any support in developing a process or managing a request, call one of the team on 0161 884 1888 or email [email protected] for assistance.