Amanda Lathia and Polly Atkins discuss DSARs on the rise since GDPR introduced in 2018, in Lawyer Monthly

  • August 20, 2019
  • By Amanda Lathia, Associate and Polly Atkins, Associate

DSARs: The Pitfalls And Recommendations

Since the GDPR rules were introduced in May 2018, data subject access requests (DSARs) have been on the rise. The ICO reports that data protection complaints from the public have gone up: 41,000 since May 2018 compared with 21,000 for the preceding year, possibly due to the removal of the statutory fee that data controllers were previously allowed to charge.

Organisations who are data controllers may well have not understood the work required to respond to a DSAR and there is not much scope for rejecting a DSAR. An organisation may only refuse to respond to a DSAR if it is “excessive” or “manifestly unfounded”. “Excessive” has a very high threshold and typically applies to repeated requests from the same individual. To be “manifestly unfounded” would imply that the request is vexatious, malicious or designed to harass the data controller or cause disruption and under Article 12(5) of the GDPR, the data controller has the burden of proof.

An organisation may request an extension of time beyond the requisite one month to respond to a DSAR only on the grounds that the DSAR is “complex”. The word, complex, is not defined under the GDPR but the ICO indicates that a complex request could involve for example, a significant number of tasks, manpower or hours and/or would require recruitment of an extra staff member(s) to complete it. If a request is “complex” it does not mean that it is “excessive”.

Given that an organisation must respond to a DSAR within one month, it is imperative for organisations to be able to find and collate data quickly and accurately. The best way to achieve this would be to progress to digitised personal data and to phase out paper formats wherever possible. Organisations should also limit personal data retention to a maximum of 6 years (except where data must be retained in order to comply with the law) as this may help reduce the burden of responding to a DSAR.

It is possible that some organisations may be collating more information than necessary. For example, personal data such as email addresses mean that the organisation need only list emails sent to/from the data subject and not necessarily the email content. For example, a company holiday policy sent to employees via email would not typically contain personal data specific to any employee so there is no need to include the email content. The DSAR results can be sent electronically so there is no need to print all the relevant documents and post them – they can be scanned and emailed.

An interesting point with regards to ‘personal data’ is how new technologies/analytics will continue to push the boundaries of what ‘personal data’ actually means, particularly when it comes to complying with a DSAR. For example, will voice recordings as a means of identifying/authenticating individuals be included?

Organisations may need advice on digitising paper documents and using effective technology for speeding up data searches in response to a DSAR. The ICO has published its Technology Strategy for 2018 to 2021 which sets out eight “technology goals” and how the ICO intends to achieve them.

The intention is to increase public awareness and guidance to organisations, recruit and train specialists and staff, facilitate research and establish networks (both in the UK and internationally) to share knowledge and to explore new and innovative technologies as they develop.

This and also the fundamental definition of personal data is something on which further continuing guidance will be needed as new technologies for recording different types of personal data develop.

This article was originally published in Lawyer Monthly and can be accessed here

Related News

Mar 17, 2021
Stephen Morrall comments on Uber drivers entitled to minimum wage, holiday pay and pension following the Supreme Court decision in The Sunday Times Driving, The Times and the Daily Mail
Feb 19, 2021
Stephen Morrall comments on Uber losing a landmark Supreme Court battle in the Evening Standard and the Financial Times
Feb 12, 2021
Richard Baxter and Hannah Solel examine data protection post-Brexit in Information Security Buzz
Feb 05, 2021
Budget 2021 – Still time to prepare for any changes to Business Asset Disposal Relief
Jan 13, 2021
Stephen Morrall and Hannah Solel discuss the gig economy in 2021 in Employee Benefits
Jan 11, 2021
Richard Baxter and Hannah Solel provide a legal update on data protection in 2021
Jan 06, 2021
Stephen Morrall comments on unfair dismissal in Real Business
Dec 14, 2020
Hunters strengthens its Business team with new arrival
Jun 25, 2020
Stephen Morrall and Philippa Kum discuss witnessing a deed remotely
Jun 01, 2020
Amanda Lathia examines the legal challenges of returning to work during the post-COVID-19 lockdown in WealthBriefing

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)