The burden of dealing with an increasing flurry of Data Subject Access Requests (DSARs) is a growing problem for data controllers throughout the UK. The combination of increased public awareness of their personal data rights and the level of personal data held by data controllers can make responding to DSARs a time consuming and expensive operation.
Addressing DSARs is not a trivial matter. Controllers that fail to respond to DSARs in an appropriate, or timely, manner will likely be in breach of their obligations under Article 15 of the General Data Protection Regulation (GDPR). This can give rise to disgruntled customers/employees, an expensive data claim and in some instances a financial penalty or enquiries into your data protection practices from the ICO.
The 'Data: a new direction' consultation (analysed below) may ease the burden on organisations facing a high volume of DSARs. Is a smarter solution required to truly address the problem?
DSARs – a new direction
The government are mindful of the impact of responding to DSARs on businesses' operations and in September 2021, the Department for Digital, Culture, Media & Sport published a consultation: setting out a series of proposals which they believe will: "…keep people’s data safe and secure, while ushering in a new golden age of growth and innovation right across the UK".
The consultation highlighted the impact, particularly on small organisations, where a high volume of DSARs are submitted and how the same may significantly impact resources. To combat this the government have proposed:
(1) Amending the threshold for responding to a DSAR
The consultation recognised that the current provisions for refusing compliance with a DSAR (manifestly unfounded or manifestly excessive) are not commonly relied upon. Further it also recognised that DSARs were in some instance not being used as a vehicle to exercise a right of access to personal data, but so as to seek access to documents in connection with litigation. In an attempt to limit DSARs to those which are truly seeking access to their personal data, the government have proposed that the test for vexatious requests applied under the Freedom of Information Act 2000 (whether the request is likely to "cause a disproportionate or unjustifiable level of distress, disruption or irritation") should be applied. Further, the context and history of a request, including the identity of the requester and any previous contact with them should be taken into account.
(2) Introducing a fee for submitting a DSAR and a costs cap
Here the government would introduce a cost ceiling, akin to those adopted by public bodies under the Freedom of Information Act 2000, typically being a cap of a few hundred pounds. Under this proposal organisations remain under a duty to respond to a DSAR, but only within the constraints of the cost limit. This would serve to limit the extent of the personal information an organisation could search for, but not serve as grounds to oppose a DSAR outright.
The ICO issued a lengthy response to the consultation in early October 2021. Considering the DSAR response proposals, the ICO supported the adoption of greater clarity, where requests should be challenged on the basis that they are vexatious, but made clear that this was balanced against ensuring that these measures did not undermine a data subject's right of access.
The ICO displayed greater concern with the proposals of reintroducing a fee when submitting a DSAR, particularly where it may restrict the rights of individuals with "limited financial means and who may be vulnerable in other ways". The ICO concluded that "a fuller assessment is needed to understand the implications of introducing a nominal fee, which potentially has a wide-ranging impact on people. This will ensure that any change is not disproportionate."
Adopting a smart approach
The consultation remains ongoing, and is not due to close until 19 November 2021. Applying a costs cap and allowing controllers to refuse DSARs where they are not being used for its true purpose may reduce the burden on business. However, this may introduce a new strand of time-consuming correspondence with data subjects / the ICO explaining the reasons why a DSAR has either been refused or responded to in a particular manner. Regardless of the measures eventually adopted to combat the increased demand and cost of responding to DSARs, this is simply a means to treat the symptoms rather than provide a cure.
When addressing the escalating burden of DSARs in their consultation response, the ICO noted "We have flagged the importance of taking a data protection by design approach when procuring and configuring new IT systems so that they facilitate providing information to people who may exercise their right of access." In truth introducing the correct technology remains the only solution to dealing with the organisational burden caused by high volume DSARs.
We have developed WBD Clarity as a targeted solution for responding to DSARs, allowing you to reduce the volume of personal data and streamline the review process. To see the benefits of the platform or discuss how WBD Clarity could help support your business, please contact us.