Call us today on 01487 815 720 or email us on [email protected]

An Employer’s Guide to GDPR Part Seven

Employer's Guide to GDPRAn Employer’s Guide to GDPR Part Seven – Subject Access Requests

Keeping HR Simple have teamed up with Data Protection Specialist Simon Hinks.  Simon works closely with businesses and charities on data protection, compliance and data auditing and helping them to understand their GDPR/DPA gaps.  His hot topics include GDPR compliance and data audits, Communication audits and Customer journey audits.

We asked Simon to talk to us about the big picture of GDPR and what that means from a HR point of view.  In this final post, we focus on subject access requests (SARs).

Subject Access Requests under GDPR

This right, commonly referred to as subject access, is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this. An individual who makes a written request and pays a fee is entitled to be:

  • told whether any personal data is being processed;
  • given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
  • given a copy of the information comprising the data; given details of the source of the data (where this is available).

This is a process not every company will have a policy for and in many cases will require a means of confirming the details of the requestee. Having a single customer view or at least access to all data files whilst being able to provide the data in a portable way, such as a USB stick. Information needs to go back to the requestor within 40 days.

An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). If you are using an on-line decisioning tool to determine whether an applicant progresses to the next stage you must be able to explain the reasoning behind the decision as well as being able to override the decision with human intervention.


In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it.

If you want to discuss further or ask any questions about GDPR and what it means to you, don’t hesitate to get in touch!

No comments yet.

Leave a Reply