You need to respond carefully and within one month, or you risk a complaint to your government and a GDPR fine (which as you must know by now is up to 4% of turnover!)
What is personal information
Any Information that: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household. It could be in any format, video, image & audio data counts.
Here's some examples:
General business data - Date of Birth, NI Number, Email address, phone number, address, bank details, employment contracts, Wage details, References, Assessments, Evaluations, Training details, Grades, Holiday details, biometrics, information on family, Photos, Browser cookies, Location data, opinions, IP addresses (often stored in log files).
Health data - Sick days, doctors notes, medical history, fitness data.
You need to tell them
Here's a good process for handling Subject Access Requests
Before you start, do you have the right expertise in house? If not in-house, speak with your HR firm, or look to contract in a Data Protection Officer.
Verify Identity (make sure it's the right person and not a hacker!). Use data you already have, maybe a known email, phone number or address, or a question they will know. Asking for passport or ID documents here could be seen as too much.
Get the data
Redact the data if needed (to protect any other peoples personal data) - this means blacking out any names or details you cannot share, for example from a reference.
Package data - (we think PDF is a good format).
Add the details - see above 'You need to tell them'.
Provide the data - securely! We would recommend our free to use safedrop.com, or a password protected PDF. If you send the data just by plain email, you're risking a data breach!
We just sent you an email. Please click the link in the email to confirm your subscription!