The General Data Protection Regulation (GDPR) was enforced on the 25^th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

 Employers should maintain focus on the following factors:

Article 28 of the General Data Protection Regulation (GDPR) states the conditions of a data processing agreement between the data controller and the data processor.

Recently, this agreement has been brought in to question, regarding its workability and whether it is actually working in the way it is prescribed in the GDPR requirements. https://gdpr-info.eu/art-28-gdpr/

Organisations are usually established as the data controller, and the program they use acts as the data processer, i.e. Microsoft One Drive for Business, which is utilised by various companies. In accordance with Article 28 of the GDPR, an organisation should have a controller-processor agreement with their chosen software, which would usually be dictated by the data processor.

GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.

On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

So, the question is whether data processors need to address the Subject Access Request without the controller or not?

Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.