Under the new regulation, any company operating with European data subjects can receive requests from any individual for their own data.
An interesting case is that of current or former employees requesting their data records.
The regulation removes the cost for the requester, reduces the time for delivering the data and increases penalties for companies not complying. On the other hand, such requests can be quite resource intensive.
Matt’s been working by his last employeer for about 15 years and is now retired. He’s been recently refused a mortgage and, to better understand the situation, he files by email a subject access request asking for his personal data.
From this moment his former employer has 30 days to comply with the request, a task requiring for example to
- collate all the information stored about Matt;
- make sure not to include other persons’ data;
- verify the applicability of any disclosure exemption;
- provide him a copy of the data;
- inform him about the reasons for collecting it;
- specify who can see the data.
The company must not underestimate reasons and exemptions. There might be other reasons than the former job contract relationship, and exemptions might go from trade secrets to confidential communications, from health records to taxation data. Even obvious ones must be verified and stated.
Special attention must also be given to not delete data after receiving the request; in doing so the company would be liable for sanctions.
And that’s only to comply with the access request - after his own checks, Matt can also ask for data to be corrected, if it’s not accurate.
If the above may already sound like an intense activity, things might even be heavier at scale. Think about unhappy employees, unsatisfied job applicants, or even groups of activists pushing their own agenda.
Because of how onerous such requests can be, organizational and operational measures must already be in place. Awareness, processes and technical solutions must have been implemented beforehands.
The target date for the new regulation is not far away.
Is your company ready to handle incoming data requests?