Future of work: What to do with GDPR/data subject access requests
Since the GDPR came into force there has been a rise in subject access requests (SARs).
An employee has the right to obtain information from an employer as to whether or not personal data is being processed about him or her. Personal data is information relating to an individual from which they can be identified. If personal data is being processed, the employee is entitled to be given a copy of this personal data. This must be provided free of charge, without undue delay and, in most cases, within one month of receipt of the request.
Although an employer must make genuine and extensive efforts to comply with a SAR, it does not have to go so far as to leave no stone unturned. Subject access requests are subject to the principle of proportionality, and although an employer should be prepared to make extensive efforts to find and retrieve the requested information, it is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access. You may suspect the employee has ulterior motives but that isn't relevant. The starting point for the ICO is that they have a right to their personal data.