For those living in the UK and the EU, access to personal data is a fundamental data protection right. Should they want to, individuals can ask any organisation whether it is using or storing their personal information, and request copies of that data.
This is commonly referred to as the ‘right of access’, and is enshrined in Article 15 of the UK and EU General Data Protection Regulation (GDPR). Exercising this right is most widely known as making a data subject access request (DSAR), and allows users to view and process their personal data.
Given that most organisations handle significant volumes of data every day – be it of clients, third parties or their own staff – there is an obligation on business to react to DSARs appropriately, and in keeping with GDPR regulations. Organisations are restricted from making purely automated decisions based on profiling, meaning that DSARs cannot be automatically dismissed or resolved. When receiving a DSAR, organisations must:
a) identify it as being an actual request
b) verify the identity of the requestor
c) check the request is valid, and not manifestly unfounded or excessive
d) conduct searches and redact personal data as required
e) prepare and send a reply, including relevant information
f) keep a record of what has been sent.
This is a fairly rough list that doesn’t, for instance, consider the complexity of identifying who the data belongs to, what counts as personal data, and whether other individuals are impacted by the disclosure.
However, it is more than complex enough to demonstrate that organisations must pay attention to the processes they establish around responding to a DSAR. This is especially important considering they have only one calendar month to respond, though this can be extended to three for complex cases.
Suggested reading: Discover how a large private healthcare provider secured and protected their clients’ personal data through managed security monitoring.
How DSAR Handling Can Go Wrong
It is perhaps unsurprising that some organisations fail to handle DSARs well – and often in spectacular fashion. In September 2022, the UK Information Commissioner’s Office (ICO) announced it had reprimanded seven organisations that had not complied with their DSAR obligations. These organisations were listed as the Ministry of Defence, the Home Office, the London Borough of Croydon, Kent Police, the London Borough of Hackney, the London Borough of Lambeth, and Virgin Media.
A reprimand in this context is a written notice filed by the ICO after an investigation into an organisation’s data protection practices. This notice will outline the failings and breaches, before recommending further steps to improve compliance. While a reprimand in itself may not seem too alarming, failing to act upon the ICO’s notice could result in future enforcement actions, as well as fines of up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is the higher.
Issues with DSARs are far from uncommon: the ICO reports handling some 35,000 complaints a year, the vast majority of which concern right of access. By examining the failings of some of the reprimanded bodies referenced above, we can learn more about how to correctly handle a data subject access request:
• Home Office. The ICO noted that the Home Office had a significant backlog of DSARs relating to the period of March 2021 to November 2021. Between these dates, just under 21,000 DSARs were not responded to within the necessary time frame, resulting in numerous complaints that requestors had suffered distress. As of July 2022, the Home Office had just over 3,000 unanswered DSARs that they had not responded to within the legal time frame.
• London Borough of Hackney. Between April 2020 and February 2021, the borough failed to respond to 60% of DSARs in the necessary time frame, with the oldest of these being 23 months old – that’s 23 times the normal limit.
• Virgin Media. Over a six month period, Virgin Media failed to respond to 14% of the 9,500 DSARs it received within the appropriate time limit.
These organisations had between three to six months to demonstrate improvement, but most businesses and public bodies would probably prefer to avoid attracting the regulator’s gaze in the first place. To help with this, the ICO has recently issued some guidance for dealing with common DSAR handling issues:
• Regular updates. Quite simply, organisations often take too long to respond. This is particularly relevant to complex requests, where the time limit to respond can be extended to three months. In these cases, requestors should be regularly updated to ensure they are informed of the stage of their request.
• Relationship breakdown. Individuals complain that they struggle to find someone to contact, and that their requests or communications are either not answered, or answered unsatisfactorily. Open dialogue is essential to maintaining a successful relationship. A lack of communication iIf the scope of a request needs to be adjusted, or a request is taking longer than expected, can have a significant detrimental impact on the relationship between the parties. Organisations should be proactive in ensuring that they communicate clearly, openly and fully with individuals who make DSARs.
• Build trust. Sometimes, DSAR requestors simply do not trust what they are being told. Transparency is key here, beginning with open and clear privacy policies.
• Promote understanding. Individuals making DSARs risk suffering a lack of understanding, when met with poor communication. As a result, they may view an organisation’s response as unhelpful or unclear. The best way to combat this, from an organisation’s perspective, is to make sure you communicate in plain English, and ensure all communications are easy to understand.
Our Guide: How to Respond to a DSAR
The above advice from the ICO is sound, but organisations should consider implementing further good practice recommendations when handling DSARs, namely:
• Create a governance structure to manage DSARs. While not all organisations will need to appoint a Data Protection Officer (DPO), there should be a clear DSAR handling structure in place, with a specific individual responsible for overseeing the process. This individual should be able to coordinate all the necessary actions for a DSAR response, and ensure that it is properly completed. Though this may increase initial administrative costs, it can help prevent fines later on.
• Train employees. All staff need to understand what data privacy obligations they have. DSARs can be submitted in many forms, and staff should understand what a DSAR could look like, and what to do when one is received.
• Clarify the scope of a request. Requesters, particularly those who are not data privacy trained, are likely to make quite general DSARs. Every organisation holds the responsibility of ensuring that it understands exactly the nature of the request, limiting the scope as appropriate. Doing this early on will save time and resources, while satisfying honest DSARs more effectively.
• Audit trail. Having an audit trail is vital to demonstrating that an organisation has followed all the steps correctly and complied with any necessary obligations.
DSARs can be incredibly difficult to handle. They are often time-consuming, resource heavy and stress-inducing, especially when the threat of regulatory action hangs above you. However, responding to DSARs is also a necessary part of doing business in our data-driven world. People are more concerned with information privacy and protection than ever, and many want to have visibility of their data.
Being organised, structured understanding your obligations, and communicating openly can help a business navigate these requests as smoothly as possible – and help avoid some uncomfortable conversations with customers and regulators alike.
How we can help
For further information on data privacy or advice on how to improve your compliance with data protection regulations get in touch to arrange a chat with one of our experts today.