[tooba]

Subject access requests have existed for twenty years in the UK. The Information Commissioner's Office provides free guides on how to request data. Most people aren't aware of their right to do this. Organisations can charge under the current legislation but often don't.

A lot of organisations forget to discuss the scope of a subject access request. If you imagine an employee at an average company, an undefined subject access request can include months or years of pension contributions, internet and email logs, training records, meal choices for their end of year party... if their issue is a recent performance review, the scope will often be email chains or HR documentation relating to that. The incentive for them is that they can often have the data they're interested in a short space of time rather than wait longer for pages of data they've got no need in. If you do this, make sure it's a genuine conversation with them and it's documented as to the scope they agreed.

Remember that right to be forgotten isn't an absolute right especially where you're relying on basis other than consent. If you ask your employer to erase all data about you, they'd have an argument under 17.1.a. to argue that it's necessary to keep that information in order to pay you. Nor can you ask the police or tax office to erase your data.