GDPR individual rights – Is the cost to business just about to explode?

Photo of five stacks of european coins.

Photo by Ibrahim Rifath.

The UK government’s job retention scheme has protected 7.5 million workers and almost 1 million businesses. From the start of August 2020, employers will be asked to pay a percentage towards the salaries of their furloughed staff. Will businesses be able to re-employ all their furloughed workers or will we see a significant number of them being made redundant?

Employees who lose their jobs will invariably feel hard done by. Some of their colleagues have retained their jobs whilst they have lost theirs. They become disgruntled. They want to know why. A perceived solution to the why is for the employee to execute their GDPR individual rights through demanding to see what personal data is held and how it has been used. If this is the case it could lead to a dramatic increase in Data Subject Access Requests (DSAR) that overwhelm data compliance teams and increase dramatically the cost to business.

In preparation for the potential increased demand, some questions that businesses should be asking themselves:

  1.  Is your DSAR process manual? If so, do you have sufficient resources to satisfy the increase in demand and still comply with the 30-day response time? Can you make your DSAR process automatic?
  2. Do you have processes that can easily access personal data? Paper records should be stored electronically and indexed. Centralise record keeping. All voice recordings should be indexed. Whilst this should be standard practice since May 2018 (GDPR start date), what about paper records of an employee starting 30 years ago?
  3. Do your Records of Processing (ROPs) have the information that states where personal data is stored and processed?
  4. Do you really know who you are sharing your personal data with? An individual has the right to know who you have shared their personal data with. Some third parties are obvious; travel agent for business travel; HMRC for PAYE and NI. Others are less obvious. The data that you collect in web site cookies is personal data. Do you share this data with Google? Business WhatsApp groups are highly likely to share data with Facebook. Have you included all the third parties you share your personal data with on your Privacy Notices? Have you contracted with these third parties correctly and used the correct contracting methods, such as specific data processing agreements?
  5. Do you keep consent records? Can you demonstrate that consent for personal data collection was given freely, the date that it was given and the purpose that it was given. Remember this also includes Web Site Cookies. How easy is it to remove personal data if consent is revoked, Is there a revocation process?  
  6. Will your third parties comply with the DSAR? Can you report/remove/alter personal data that your business has shared with the likes of Google, Facebook, and Twitter?

Our advice is - Know what personal data you hold, where it is held, who it is shared with, and if necessary, has the individual given consent for use. Simple advice, tricky to implement.

About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance in a cost-effective manner with minimal disruption. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at 

Send us a message

Telephone: +44 20 4526 5699

To see how we use your data, see our Privacy Notice.