In this instalment of our GDPR FAQs mini blog series, we consider the implications of an employee receiving a subject access request and failing to notify the organisation.
Our Frequently Given Response:
Organisations must respond to subject access requests within one month of receipt and are not entitled to charge a fee to reply. If an organisation fails to properly respond to a subject access request, it may attract a higher level of fine, particularly if it represents a systemic failure in the organisation’s processes.
A subject access request may be made to anybody within the organisation and it will be deemed to have been received by the organisation at the point the employee receives it.
It is therefore important that organisations provide training and/or policies to ensure that all employees are able to recognise a subject access request (which need not use any particular form of wording or reference GDPR) and know how to deal with the request (primarily by forwarding it immediately to the point of contact within the organisation who will be responsible for responding to the request). Organisations should also consider implementing an internal process map to follow each time a subject access request is received.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.