137 1 countries around the world now have at least some form of data privacy legislation in place. Where legislation exists, that often includes a right for individuals to have access to their personal data through a data subject access request (SAR).

From a people strategy perspective, SARs made in the context of employment can have a significant impact on cost and management time, as well as impacting a business' risk profile. Disruption to the business and other risks can however be minimized if organizations have robust and efficient processes in place to effectively identify and deal with SARs and a clear understanding of the legal requirements and regulatory standards. Effective and efficient collaboration between HR, legal and IT teams will also often be key.

Following on from the previous global briefings in this series of materials focusing on considerations for HR strategists on topical issues (Chapter one: Global workforce mental health protection, Chapter two: Global diversity data, Chapter three: Speaking up - whistleblowing, Chapter four: business protection- the global use of restrictive covenants in employment , Chapter five: wage transparency and Chapter six: technology in employment), in this briefing we explore some of the risks and key strategic considerations for dealing with SARs in employment.

Subject access requests (DSARs or SARs)- a global approach?

In those jurisdictions that provide a legal right for individuals to have access to their personal data through a SAR, individuals are increasingly aware of and willing to utilize that right – both for their own interest and other, more tactical, purposes. Equally, businesses focusing on responsible business practices are often taking a fresh look at data privacy strategies in their business operations and in respect of their people, resulting in measures to ensure increased transparency over employee data privacy practices.

However, a globalized approach to data privacy, including SARs, can be a challenge. Different risk profiles apply to each jurisdiction depending on the propensity for individuals to make SARs, the stringency of the applicable rules, and the penalties in the event of any breach of the legal requirements. From a procedural perspective, different timescales often apply to the disclosure of the data, different standards apply to the extent to which efforts should be made to search for information, differences exist in the ability to extend deadlines and different exemptions from disclosure can be applicable.

Certain types of personal data will often fall outside the scope of data that must be disclosed in response to a SAR, through the application of certain exemptions that will often be accompanied by conditions of use. Again, this will depend on the law of the particular jurisdiction but will often include personal data that is subject to legal privilege, third-party personal data, personal data subject to a legal duty of confidentiality, confidential references, and management forecasting/planning information.

Consequently, any global approach to dealing with SARs should be agile enough to ensure procedural deviations in different countries, while at the same time ensuring consistency in overarching principles to support wider responsible business practices and risk management.

Effective SAR compliance – why are some countries more difficult than others?

Any approach to dealing with SARs should anticipate that in some countries, effective data protection compliance can be significantly more resource-intensive than others, both in terms of cost and management time.

In Europe, the General Data Protection Regulation (GDPR) 2 has been directly applicable in all EU member states since 2018 and continues to form part of the body of retained EU law in the UK. The legal requirements in all EU countries and the UK are derived from the GDPR, which gives some uniformity in those requirements. However, the exemptions to disclosure in response to SARs are set out in local legislation, which differs between each of the EU Member States and also in the UK.

This difference in exemptions between different jurisdictions is often the root cause of the differences in the ease of addressing SARs, together with the guidance and enforcement actions of national regulatory bodies established to monitor and uphold data protection rights and obligations.

For example, in the UK, there are no sweeping exemptions from disclosure for confidential or business as usual information, as exist in many EU countries. In addition, the UK Information Commissioner's Office often takes a more stringent approach than other national regulatory bodies on certain issues. In particular, there is a requirement for full searches to be undertaken whenever a SAR is made and an expectation that the resource allocation attached to SARs is managed through improved processes and more focused data retention and indexing practices, rather than by limiting the search or disclosure obligations.

In addition, the definition of what constitutes personal data differs by jurisdiction, meaning that the scope of SARs can vary significantly. For example, the US term ("personally identifiable information" or PII) is much narrower that what is considered to be personal data in the UK and EU.

Taking account of these differences, it is easy to see why harmonized approaches often result in compliance gaps.

Risks of failing to achieve effective SAR compliance

From a business protection perspective, data privacy is a constant feature, recognizing the significant negative ramifications of non-compliance. Potential consequences of failure to adhere to data privacy requirements, including requirements in respect of SARS, include negative impact on brand reputation, damage to employee relations and consumer confidence, and criminal or civil sanctions.

The level of any fine imposed under any civil sanction regime will often depend on the number and severity of any breaches, but can potentially be very significant. For example in Europe, where fines for GDPR breaches can amount to up to £17 million or 4% of annual global turnover. In Canada, starting from September 2023, similarly severe penalties will be introduced, with maximum penalties rising to up to CA$25 million or 4% ‎of ‎worldwide income‎.‎

While the biggest fines in recent years have tended to involve breaches in respect of the way an organization has collected and shared personal data via cookies, failures in the use of privacy notices, and employee privacy data breaches, there are a number of ways in which a breach can occur.

In the context of SARs, there are several points in the process that are particularly vulnerable to breaches if the risks are not effectively managed. Those process points include a failure to identify a SAR, breach of the timescales for disclosure and breach in the output documents disclosed, including unnecessarily disclosing third party data as a result of failing to properly apply exemptions. Due to these multiple points of potential vulnerability, it is important to take a holistic review of the complete SAR process in order to effectively manage the risks.

Cross-border considerations – applicable data privacy law

With increasing numbers of workers working under remote or hybrid arrangements that span borders, it will be critical to understand the applicable law that that will govern any SAR.

The starting point for employee SARs is always the governing law applicable to the employer that holds the employment relationship with the employee applicant, even if that is different from the jurisdiction in which the employee is based or located. Where the employee is based in another jurisdiction, it may be that multiple governing laws apply as a result of the extra-territoriality of privacy laws across the world. Care must therefore be taken where SARs are made across borders.

Managing SARs – practical considerations

As highlighted above, the resources that are required to be devoted to SARs in certain jurisdictions can often be significantly higher than in others. However, even in those countries where that applies, developing a collaborative and clearly defined process approach covering the management of SARs from receipt through to disclosure can significantly mitigate the resource requirements. Such approach will also drive higher quality responses and disclosures, which can, in turn, better protect the business from regulatory investigations and enforcement.

Practical action points:

  1. Develop a clear and comprehensive employee SAR handling policy, including a responsibility matrix: That policy should identify individual roles and responsibilities to maximize clarity of process and collaboration, to usually include a compliance lead, a legal lead and a HR lead. It should also include a process to enable early clarification of the nature of the request, including whether it is a routine or complex SAR, timescales and the process for any deadline extensions, and dealing with clarifications/narrowing the scope of SARs.
  2. Know what data is held and where: The ability to readily and quickly search for personal data will be vital. The availability of appropriate technology will often be key in this respect. The effective application of such technology will often depend on clearly mapping where personal data is commonly held and which areas/systems should be searched routinely. Clear processes should also be in place to ensure effective filtering and redaction of data.
  3. Ensure clear, transparent processes: Information should be readily available to employees on an organization's data privacy policy, as well as how to make SARs and the process to expect. In addition, staff should be trained on how to identify a SAR and the policies and procedures that will apply, including where to forward the request. Clear audit trails should be created and maintained on the documents disclosed, how relevant documents were identified/filtered, as well as the application of any exemptions from disclosure. The statutory timescale starts as soon as anyone within the organization receives the request, regardless of whether or not they have been trained and know who to refer it to within the business.
  4. Effectively manage the amount of work undertaken on any SAR: Controlling and managing the process and deadlines can be essential to compliance and effectively managing the resources devoted to SARs. Requesting identity verification, seeking clarification and/or narrowing the scope of requests where appropriate and applying exemptions knowledgeably and consistently will be essential.

Footnotes

1. United Nations Conference on Trade and Development, 14 December 2021

2. 2016/679/EU

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.