Since the introduction of the General Data Protection Regulation or GDPR in 2018, for many of our clients the greatest challenge when it comes to their data compliance efforts has been the effective handling of data subject access requests (“DSARs”).
In short, DSARs enable individuals to request access to, and information about, the personal data that organisations hold about them. While the right to make a DSAR was not new, the publicity that surrounded the introduction of the GDPR, combined with the public’s greater awareness of privacy rights as well as the abolishment of the need to pay a fee to submit a DSAR, has led to a steep rise in the number of such requests being made. A 2021 study commissioned by the DPO Centre estimated that six million UK adults have contemplated making a DSAR and a separate survey of data protection officers by the UK Data Protection Index revealed that those organisations surveyed received just under 11 DSARs per month on average.
The tight one-to-three-month timescales within which DSARs require to be responded places a huge burden on the HR, legal and IT teams who are often tasked with gathering the data requested and assessing what is and is not disclosable to the requester. From a cost perspective alone, research from the Data Privacy Group found that dealing with DSARs cost some organisations an eye-watering £336,000 per year.
While the purpose behind DSARs was to enable individuals to review and check that their personal data is being processed and handled fairly by organisations, increasingly individuals are using DSAR for more litigious purposes. Indeed, for us, in the employment law team, it has become almost inevitable that our clients will receive a DSAR as part of any employment dispute. They are often used as part of a “fishing exercise” in which individuals seek data that might support a grievance against their employer or an upcoming Employment Tribunal claim. Indeed, earlier this month, it was reported that Twitter had received a series of co-ordinated DSARs from a number of recently dismissed employees ahead of them planning to bring Employment Tribunal claims.
The UK government has acknowledged the issues that managing DSARs has created for organisations and has consulted on proposals to introduce changes to the statutory framework in its draft Data Protection and Digital Information Bill. The Bill, amongst other things, purports to limit the scope for individuals to make DSARs that are “vexatious” or “excessive”. However, it remains to be seen a) whether the Data Reform Bill is adopted into law; and b) how it will be interpreted in practice by the courts and, perhaps more crucially, the Information Commissioner’s Office – the UK’s data protection regulator.
In our experience, very often, the time and cost of responding to a DSAR can be effectively managed at an early stage by taking a proportionate approach to determining what specific searches are to be carried out for the data that has been requested. This is especially true where a vague request is made by an individual who is seeking “all their personal data”. This is where the DSAR team at Burness Paull can really add value and offer advice that might prove the difference between requiring clients to review thousands upon thousands of documents to respond to a DSAR compared to a much more manageable volume of data. We can also provide advice around achieving the delicate balance needed when responding to a DSAR against the backdrop of potential litigation – whether that is in the Employment Tribunal or otherwise. If we can be of assistance at all in relation to DSARs which you receive or if you would like to discuss how we can support or train your organisation to more effectively deal with these, please do not hesitate to get in touch.
For further information on how we can assist, please see here.
Written by
Related News, Insights & Events
Webinar: Essential elements of employment training
03/02/2025
We are delighted to launch our next “Essential Elements of Employment” training series, bringing legal issues to life in virtual webinars that are practical and meaningful.
Webinar: Employment Law Lab
28/01/2025
With employment law reform through the Employment Rights Bill in the pipeline, naturally trade union rights are high on the agenda for the present UK Government.
Risk horizon scan: 2025
January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.