Amanda Lathia and Polly Atkins discuss DSARs on the rise since GDPR introduced in 2018, in Lawyer Monthly

  • August 20, 2019
  • By Amanda Lathia, Associate and Polly Atkins, Associate

DSARs: The Pitfalls And Recommendations

Since the GDPR rules were introduced in May 2018, data subject access requests (DSARs) have been on the rise. The ICO reports that data protection complaints from the public have gone up: 41,000 since May 2018 compared with 21,000 for the preceding year, possibly due to the removal of the statutory fee that data controllers were previously allowed to charge.

Organisations who are data controllers may well have not understood the work required to respond to a DSAR and there is not much scope for rejecting a DSAR. An organisation may only refuse to respond to a DSAR if it is “excessive” or “manifestly unfounded”. “Excessive” has a very high threshold and typically applies to repeated requests from the same individual. To be “manifestly unfounded” would imply that the request is vexatious, malicious or designed to harass the data controller or cause disruption and under Article 12(5) of the GDPR, the data controller has the burden of proof.

An organisation may request an extension of time beyond the requisite one month to respond to a DSAR only on the grounds that the DSAR is “complex”. The word, complex, is not defined under the GDPR but the ICO indicates that a complex request could involve for example, a significant number of tasks, manpower or hours and/or would require recruitment of an extra staff member(s) to complete it. If a request is “complex” it does not mean that it is “excessive”.

Given that an organisation must respond to a DSAR within one month, it is imperative for organisations to be able to find and collate data quickly and accurately. The best way to achieve this would be to progress to digitised personal data and to phase out paper formats wherever possible. Organisations should also limit personal data retention to a maximum of 6 years (except where data must be retained in order to comply with the law) as this may help reduce the burden of responding to a DSAR.

It is possible that some organisations may be collating more information than necessary. For example, personal data such as email addresses mean that the organisation need only list emails sent to/from the data subject and not necessarily the email content. For example, a company holiday policy sent to employees via email would not typically contain personal data specific to any employee so there is no need to include the email content. The DSAR results can be sent electronically so there is no need to print all the relevant documents and post them – they can be scanned and emailed.

An interesting point with regards to ‘personal data’ is how new technologies/analytics will continue to push the boundaries of what ‘personal data’ actually means, particularly when it comes to complying with a DSAR. For example, will voice recordings as a means of identifying/authenticating individuals be included?

Organisations may need advice on digitising paper documents and using effective technology for speeding up data searches in response to a DSAR. The ICO has published its Technology Strategy for 2018 to 2021 which sets out eight “technology goals” and how the ICO intends to achieve them.

The intention is to increase public awareness and guidance to organisations, recruit and train specialists and staff, facilitate research and establish networks (both in the UK and internationally) to share knowledge and to explore new and innovative technologies as they develop.

This and also the fundamental definition of personal data is something on which further continuing guidance will be needed as new technologies for recording different types of personal data develop.

This article was originally published in Lawyer Monthly and can be accessed here

Related News

Oct 20, 2021
Partner Richard Baxter is attending the FT Live’s The Banking Revolution
Oct 18, 2021
Richard Baxter and Constance Tait discuss considerations for dispute resolution and M&A scenarios
Sep 29, 2021
Richard Baxter outlines lessons for business owners from an abortive company sale and purchase transaction
Sep 22, 2021
Stephen Morrall examines worker status in the gig economy in Economy Standard
Jul 22, 2021
Gregor Kleinknecht and Constance Tait examine the impact on trademark litigation and provide 10 tips on navigating the post-Brexit era in Managing IP
Jul 16, 2021
Gregor Kleinknecht and Anastassia Dimmek examine the growing threat of zombie firms in Lawyer Monthly
Jul 07, 2021
Richard Baxter and Constance Tait examine a report suggesting that firms with targeted support for ethnic minority workers see benefits
Jun 28, 2021
Richard Baxter discusses UK-EU Data Protection and how adequacy decisions avoid imminent disruption to data flows
Jun 23, 2021
Richard Baxter and Constance Tait examine the recent Burnell v Trans-Tag Ltd case in the High Court
Jun 22, 2021
Anastassia Dimmek discussed the key challenges of protecting clients’ healthy businesses from zombie firms in a webinar hosted by Advoselect

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)