Respond to a subject access request from an employee under the GDPR

Key points

  • Employees (and other data subjects) have the right to request copies of the personal data that an employer holds about them.
  • The rules for replying to a subject access request under the General Data Protection Regulation (GDPR) differ from the previous rules under the Data Protection Act 1998, for example the timescale for responding to a request is shorter under the GDPR. The GDPR is in force from 25 May 2018.
  • The employer must provide additional information about how it processes the employee's personal data, including for how long it will hold the data (or how the retention period is calculated).
  • Where the employee makes the request electronically, the employer should provide the information in an electronic format.

XpertHR resources