With businesses now building back up following the pandemic, focus has moved onto ensuring organisations are as efficient, effective and resilient as possible. Key to this is ensuring that managers are fully equipped to handle workplace issues.
The session focuses on dealing with DSARS and other practical data protection issues for employers. The key takeaway points are set out below:
Brexit and Data Protection
- The Data Protection Act 2018 continues to apply in the UK. The GDPR has been transposed into UK law and is now the UK GDPR. As a result, organisations should review their policies and procedures to update references to applicable legislation.
- Currently, personal data can be transferred between the UK and EEA as before. However, data transferred from the EEA to UK is only allowed until 30 April 2021 (with the potential to extend this date to June 2021) unless an adequacy decision is reached before then.
Top tips for employers handling DSARs
- Generally, try to reduce the data you hold so there is less to disclose! Effective data cleansing and retention protocols are critical to this.
- Have a clear DSAR policy in place and a standard request form which employees are encouraged to use.
- Make sure managers are trained to recognise requests and understand the process and timescales involved once a request is received.
- Consider the scope of the request and whether further clarification is needed to limit the scope of the searches which you will need to carry out to locate the data e.g. in terms of dates, type of data and sender/recipient. Remember that individuals are only entitled to their own personal data, that is any information from which they can be identified.
- Remember to include in your search instant messages on work devices and documents held on servers and search against all iterations of the individual’s name, including initials or nicknames.
- Keep an eye on timings and ensure that internal processes are completed within the specified time limits. Requests should be responded to without undue delay and in any event within 1 month, although it is possible to extend this deadline by a further 2 months for complex requests.
- Consider how to deal with third-party data. It may be that it is reasonable to disclose this data or the third-party consents to the disclosure. If not, any third-party data would need to be redacted before being included in the response.
- Check whether any of the exemptions apply which might mean that you don’t have to respond to a DSAR, and, if so, keep a written record of the reasons for reliance on an exemption. Typically, for employers, they are likely to seek to rely on the exemptions for: legal advice and proceedings, management information, confidential references and negotiations with the requestor.
- Provide the requested information in a concise, transparent, intelligible and easily accessible form. Remember to include not just the data itself but the accompanying information including the purposes for which it is processed, the recipients of the data and for how long it is intended to be kept.
What to do if a DSAR response goes wrong
- Failure to respond to a DSAR can amount to a data breach.
- Consider what steps can be taken to address / contain the breach.
- Establish the severity of risk to the individual’s rights and freedoms and whether the duty to notify the ICO and the individual concerned has been triggered. If so, ensure that the timescales for notification are met, in particular notification to the ICO within 72 hours.
- Generally, the ICO’s approach will be to try and work with you to address any breach and to give compliance advice rather than to go straight to a fine in anything but the most significant cases.
Please find below the results from the poll we took part-way through the session.