DSARs: The Pitfalls And Recommendations
Since the GDPR rules were introduced in May 2018, data subject access requests (DSARs) have been on the rise. The ICO reports that data protection complaints from the public have gone up: 41,000 since May 2018 compared with 21,000 for the preceding year, possibly due to the removal of the statutory fee that data controllers were previously allowed to charge.
Organisations who are data controllers may well have not understood the work required to respond to a DSAR and there is not much scope for rejecting a DSAR. An organisation may only refuse to respond to a DSAR if it is “excessive” or “manifestly unfounded”. “Excessive” has a very high threshold and typically applies to repeated requests from the same individual. To be “manifestly unfounded” would imply that the request is vexatious, malicious or designed to harass the data controller or cause disruption and under Article 12(5) of the GDPR, the data controller has the burden of proof.
An organisation may request an extension of time beyond the requisite one month to respond to a DSAR only on the grounds that the DSAR is “complex”. The word, complex, is not defined under the GDPR but the ICO indicates that a complex request could involve for example, a significant number of tasks, manpower or hours and/or would require recruitment of an extra staff member(s) to complete it. If a request is “complex” it does not mean that it is “excessive”.
Given that an organisation must respond to a DSAR within one month, it is imperative for organisations to be able to find and collate data quickly and accurately. The best way to achieve this would be to progress to digitised personal data and to phase out paper formats wherever possible. Organisations should also limit personal data retention to a maximum of 6 years (except where data must be retained in order to comply with the law) as this may help reduce the burden of responding to a DSAR.
It is possible that some organisations may be collating more information than necessary. For example, personal data such as email addresses mean that the organisation need only list emails sent to/from the data subject and not necessarily the email content. For example, a company holiday policy sent to employees via email would not typically contain personal data specific to any employee so there is no need to include the email content. The DSAR results can be sent electronically so there is no need to print all the relevant documents and post them – they can be scanned and emailed.
An interesting point with regards to ‘personal data’ is how new technologies/analytics will continue to push the boundaries of what ‘personal data’ actually means, particularly when it comes to complying with a DSAR. For example, will voice recordings as a means of identifying/authenticating individuals be included?
Organisations may need advice on digitising paper documents and using effective technology for speeding up data searches in response to a DSAR. The ICO has published its Technology Strategy for 2018 to 2021 which sets out eight “technology goals” and how the ICO intends to achieve them.
The intention is to increase public awareness and guidance to organisations, recruit and train specialists and staff, facilitate research and establish networks (both in the UK and internationally) to share knowledge and to explore new and innovative technologies as they develop.
This and also the fundamental definition of personal data is something on which further continuing guidance will be needed as new technologies for recording different types of personal data develop.
This article was originally published in Lawyer Monthly and can be accessed here.