I believe that a former employer may have acted unfairly against me whilst I worked there and I'm intending to SAR them to see if there is any evidence of this which I can use. I do not know where the evidence may exist or in what form, whether it is in emails, phone calls (which I know to be recorded and stored) or paper records so I would like to make a SAR for every piece of information they have. I also obviously do not want to disclose the reason for my request and find that the evidence I'm looking for may miraculously disappear. I am uncertain whether it's better to make a SAR in the next couple of days (before GDPR comes in), or wait until next week when GDPR is introduced. Under the present system, AIUI I pay the statutory fee of £10 but I then have an unqualified right to request all information. However, under GDPR the statutory fee is abolished but they will be able to charge a 'reasonable fee' where the request is 'manifestly unfounded'. Is there any guidance as to what a reasonable fee might be (lower/higher/the same as the current statutory fee?), and what qualifies as a 'manifestly unfounded' request - is a general request for all data rather than a targeted request considered 'unfounded' in itself?

In May 2018 the new General Data Protection Regulation will come into force. This is an EU wide regulation and although the UK will be leaving the EU, these new regulations will be implemented. http://tinyurl.com/zqfmm48 The above linkis from the ICO goes into some detail but it isn't very clear as yet. The one major change to consumers is the removal of the £10 fee although companies can charge for extra searches. I'm not 100% sure that the removal of fees relates to medical records as yet. If the NHS cannot charge the usual £50, that will be a big bonus. http://tinyurl.com/zrg22z4

Wonder if BiliffCos and DCA;s will suffer on this one? EU GDPR on data processing regs might make it difficult where a debt and associated data is being passed around freely, also implications for Credit Reference Agencies, and Marketing companies as Data Subject must give explicit consent for the data processing From the article link below: http://www.idgconnect.com/abstract/24102/from-insular-us-firms-spammy-marketers-who-gdpr-hit-hardest ‘Privacy by design’, ‘access rights’ and ‘breach notification’ “One of the changes due to be implemented in GDPR is the explicit recognition of the concepts of ‘privacy by design’ or ‘privacy by default’. Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing. Overlay the current privacy requirements in individual countries and you have a whole new box of worms. “Under GDPR individuals will have the right to obtain confirmation that their data is being processed and have access to their data. GDPR clarifies that the reason for allowing individuals to access their personal data is so that they can verify the lawfulness of processing. This in itself will pose huge challenges for organisations with the whole process of giving access to data subject and providing proof of legitimate processing. “This will incur the highest fines stipulated in any legislation. Organisations are notoriously bad at detecting breaches and the average, only 20%, are detected by organisations themselves, the rest are notified by third parties.” Rashmi Knowles, Chief Security Architect EMEA at RSA