Embedded Files
Let's return to IRC Limited to see how they react when a candidate decides to use their rights.
Handling a data subject access request
Handling a data subject access request
The GDPR is very specific about the timescale that a company has to respond to data subject access requests.
How long does a company have to respond to a data subject access request?
A. One week
B. 40 days
C. One month
D. 10 days
View Answer
View Answer
A company has only one month to respond.
When responding to a data subject access request, what do you think needs to be sent to the data subject?
A. Any handwritten notes
B. Any emails that contain information about them
C. Contact details of the people that have received their data from you
D. Everything that you have on your candidate database
E. Any email to or from them
View Answer
View Answer
We must send them absolutely everything that the business is holding on them, but when you send the data to the individual you must not send data of other people that may be contained in documents or emails.
What do these rights mean?
What do these rights mean?
Let's take a closer look at what these rights grant to individuals.
"Tell Me"
"Tell Me"
People have a right to exercise control over the use of their data. If they don't know you have it, you are making this hard for them.Â
They should be aware of:
who is holding my data and why?
what data are you holding about me?
how long will it be kept?
what are my rights?
how do I contact you to exercise my rights?
Under the GDPR you only have a short period of time to tell people you are processing their details when you've sourced them from a 3rd party (eg. LinkedIn, Job Board). It has to be within one calendar month, or sooner if you share with someone outside of your business.
"Show Me"
"Show Me"
Everyone has the right to find out what information you're holding about them for free. When that request comes in your business has to provide the information within one calendar month. Once they have made a request you must not change or delete anything that you are holding on them.
These are often called Subject Access Requests.
"Delete it"
"Delete it"
If someone wants you to delete their data, you may have obligations to comply. As soon as you get a request like this, seek advice on how best to handle it. Not all requests are valid, but the clock starts ticking as soon as you receive it, so it's important you react fast.
If it is a valid request you have one calendar month to action their request.
"Change it"
"Change it"
If the data you are holding is inaccurate, the individual has the right to ask you to change it. Again, you must comply with their request within one calendar month.
"I object"
"I object"
If someone doesn't want you to process their data they can object and ask you to stop unless you have some overriding legal obligation to continue.
"Move it"
"Move it"
An individual can ask you to transfer the data they have given you to someone else. Your company has one calendar month to comply with the request. The data must be sent in an electronic format.
This is called a Data Portability Request.
"You can only do this"
"You can only do this"
People have the right to limit how an organisation uses their data. So a candidate might say "you can submit my CV for this type of role, but not another one".
Respect their rights
Respect their rights
Your business has worked hard to develop transparent policies and processes that protect these rights. If someone asks to see their data, or change or delete it, all you have to do is follow the right process.
How do we manage these rights?
How do we manage these rights?
Follow the process - it sounds so simple. But what if someone asks to see the data you are holding on them and it's not in your best interests to reveal that data?
Review the short scenario below and decide what to do next.
Careful what you record
Careful what you record
You met a candidate last week. He wanted you to put him forward for a role, but you decided against it.
He didn't have the right experience and he came across as quite aggressive, which you noted on his record. You also recorded that he smelled strongly of cigarettes and alcohol.
A few days later
You receive a call from him. He's upset you didn't put him forward for the role and he wants to know why.
You explain that he did not match what the client was looking for, but he refuses to accept that. He tells you he wants to see all of the data you're holding about him.
Please review scenario
What would you do?
What's the best way to respond to a request like this, when it could cause you embarrassment?
A. Forward the request to your company's dedicated mailbox immediately
B. Wait a few days to see if they calm down
C. Edit the records to remove anything embarrassing
D. Find them another opportunity to get back in their good books
View Answer
View Answer
Forward the request to your company's dedicated mailbox immediately.
Always follow your company's process - speed is critical. You only have one calendar month to respond to any request and you must not change the data in any way once the request has been made.
Do you know what to do?
Do you know what to do?
If you're not completely sure about what to do, ask your manager or the person responsible for data protection in your business to clarify what the company policy and process are for dealing with subject access requests.
Remember the rights
Remember the rights
The GDPR is about giving individuals the power to control their data.
It does this by giving everyone specific rights and enforcing those rights if companies ignore them.
Page updated
Google Sites
Report abuse