General Data Protection Regulation holds that anyone in Europe can ask any company for the data it has on them

Have you ever wondered what your boss or co-workers say about you behind your back? If you’re located in Europe, it will soon be extremely easy to find out.

Under the General Data Protection Regulation that comes into play on 25 May, any individual located in Europe can ask any company for the data it collects about them – and that includes their employer.

If an employee files a “subject access request” – an email, fax or letter asking for their personal data – their employer will have 30 days to collate a cache of all the information stored about that person. This includes any email that refers to the worker, as well as performance reviews, job interviews, payroll records, absence records, disciplinary records, computer access logs, CCTV footage, and recordings of phone calls to, from or about the person.

This right has been available to individuals under existing European data protection rules, such as the UK’s Data Protection Act, but GDPR makes it much easier to access by removing the cost (UK companies could charge £10 for such a request before), reducing the turnaround time from 40 days to 30 days and introducing extremely harsh penalties for companies not complying.

“It can cost the company tens of thousands of pounds because it’s incredibly resource intensive,” said Jack Carvel, general counsel at Qubit, which provides personalisation software to e-commerce sites.

In responding to a subject access request, the company must not include another employee’s personal information. This means that each item must be painstakingly redacted.

“Imagine going through every email sent to you or about you,” said Carvel.

If a company deletes any of the data to prevent disclosure after the subject access request is made, it can be liable for criminal sanctions.

“At the moment it’s a breach of data protection law [in the UK], but not an actual offence,” said Rowenna Fielding, senior data protection lead at Protecture Limited.

Subject access requests are typically made by employees in some kind of employment dispute with their employer – it’s a free and quick way of getting “predisclosure” ahead of litigation. However, there’s no reason why an employee, former employee or even someone who only had a job interview with the company can’t make such a request just out of interest.

Because of how onerous such requests can be, some data privacy experts warn that they could be exploited by activists to punish a company. A group of unhappy former employees could all file requests at the same time, forcing the company to dedicate resources to respond within the 30-day timeframe.

“If you look at it from that angle it seems unfair for companies. But think about the pensioner who was refused a mortgage and doesn’t understand why,” said Carvel, referring to a case for which the regulation was designed. “It’s not intended to be for malicious activists or disgruntled employees.”

Subject access requests generally allow an individual to see a copy of the information an organisation holds about them, whether it’s a mortgage lender, social media company or retailer.

There are some exceptions to the data that companies must hand over, including information relating to trade secrets, anything relating to current management issues such as restructuring or redundancies, any confidential communications with lawyers, health records, or personal data that is processed for purposes relating to criminal justice and taxation.