Amanda Lathia and Polly Atkins discuss DSARs on the rise since GDPR introduced in 2018, in Lawyer Monthly

  • August 20, 2019
  • By Amanda Lathia, Associate and Polly Atkins, Trainee Solicitor

DSARs: The Pitfalls And Recommendations

Since the GDPR rules were introduced in May 2018, data subject access requests (DSARs) have been on the rise. The ICO reports that data protection complaints from the public have gone up: 41,000 since May 2018 compared with 21,000 for the preceding year, possibly due to the removal of the statutory fee that data controllers were previously allowed to charge.

Organisations who are data controllers may well have not understood the work required to respond to a DSAR and there is not much scope for rejecting a DSAR. An organisation may only refuse to respond to a DSAR if it is “excessive” or “manifestly unfounded”. “Excessive” has a very high threshold and typically applies to repeated requests from the same individual. To be “manifestly unfounded” would imply that the request is vexatious, malicious or designed to harass the data controller or cause disruption and under Article 12(5) of the GDPR, the data controller has the burden of proof.

An organisation may request an extension of time beyond the requisite one month to respond to a DSAR only on the grounds that the DSAR is “complex”. The word, complex, is not defined under the GDPR but the ICO indicates that a complex request could involve for example, a significant number of tasks, manpower or hours and/or would require recruitment of an extra staff member(s) to complete it. If a request is “complex” it does not mean that it is “excessive”.

Given that an organisation must respond to a DSAR within one month, it is imperative for organisations to be able to find and collate data quickly and accurately. The best way to achieve this would be to progress to digitised personal data and to phase out paper formats wherever possible. Organisations should also limit personal data retention to a maximum of 6 years (except where data must be retained in order to comply with the law) as this may help reduce the burden of responding to a DSAR.

It is possible that some organisations may be collating more information than necessary. For example, personal data such as email addresses mean that the organisation need only list emails sent to/from the data subject and not necessarily the email content. For example, a company holiday policy sent to employees via email would not typically contain personal data specific to any employee so there is no need to include the email content. The DSAR results can be sent electronically so there is no need to print all the relevant documents and post them – they can be scanned and emailed.

An interesting point with regards to ‘personal data’ is how new technologies/analytics will continue to push the boundaries of what ‘personal data’ actually means, particularly when it comes to complying with a DSAR. For example, will voice recordings as a means of identifying/authenticating individuals be included?

Organisations may need advice on digitising paper documents and using effective technology for speeding up data searches in response to a DSAR. The ICO has published its Technology Strategy for 2018 to 2021 which sets out eight “technology goals” and how the ICO intends to achieve them.

The intention is to increase public awareness and guidance to organisations, recruit and train specialists and staff, facilitate research and establish networks (both in the UK and internationally) to share knowledge and to explore new and innovative technologies as they develop.

This and also the fundamental definition of personal data is something on which further continuing guidance will be needed as new technologies for recording different types of personal data develop.

This article was originally published in Lawyer Monthly and can be accessed here

Related News

Apr 02, 2020
Stephen Morrall and Petra Warrington discuss Government Support Measures for Businesses and their Employees
Mar 11, 2020
Amanda Lathia discusses employment law changes from 6 April 2020 in Employee Benefits
Mar 02, 2020
Amanda Lathia examines off-payroll working rules following the news of Thomson Reuters freelancers in Employer News
Feb 18, 2020
Amanda Lathia examines partnerships and important factors to consider that will help navigate future challenges
Feb 14, 2020
Gregor Kleinknecht comments on new rules for copyright in the EU in IBA Global Insight
Feb 13, 2020
Amanda Lathia examines the increase in fines under the GDPR in Information Security Buzz
Nov 27, 2019
Amanda Lathia discusses firing employees over social media posts in HR Grapevine
Nov 27, 2019
Amanda Lathia comments on the Supreme Court case that led to Royal Mail employee’s dismissal in Personnel Today
Oct 23, 2019
Gregor Kleinknecht’s chapter on trade marks and design rights post-Brexit published in Winning with IP
Oct 17, 2019
Amanda Lathia comments on the Supreme Court employment ruling in favour of Judge Claire Gilham in The Times

© Hunters Law LLP 2020 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)