Complying with data subject access requests
The introduction of the General Data Protection Regulation (GDPR) and Data Protection Act made headlines in 2018, but since then some businesses have taken their eyes off the “GDPR ball”. Many are leaving themselves exposed to complaints from data subjects and potential enforcement action by regulators.
Data protection has recently hit the headlines again in 2020. This is due to an announcement that the Government has ordered a major audit of the Information Commissioner’s Office (ICO), following claims that it does not have the clout to take on the tech giants and is not fit for purpose. It will be interesting to see what comes of this review, but in the meantime the ICO will continue to focus its attention on protecting the general public.
The Covid-19 crisis has also led to an increase in the number of data subject access requests (DSARs) being made. However, with many businesses working remotely some have faced issues with being able to comply with their obligations due to the inability to get into closed archive facilities and offices.
Recent areas of concern
A recent report published by Guardum found a number of areas of concern that those responsible for data protection within businesses should be aware of and address as appropriate. The survey data came from 100 UK DSAR managers in organisations of 250 employees or more, but it is likely that the same problems will be affecting smaller businesses in one way or another. Some key findings of the survey data include:
- 28 – the number of DSAR requests received each month
- 48% - the amount of DSARs that take longer than 30 days to complete
- 33% - the amount of DSARs that come through legal representation
- 63% - the process of handling DSARs incorporates both manual and automated processes
- 30% - the amount of DSAR managers’ time taken up responding to DSARs
- 6% - those that think the Covid-19 pandemic will lead to an unqualified acceptance of less data privacy amongst the public
The issues and best practice
In our recent blog we discussed the increase in data subject access requests since the Covid-19 lockdown and highlighted some of the issues being encountered by some businesses in complying with DSARs. We also provided some best practice advice that could be used to reduce the risks of being found non-compliant by the ICO, which can also be used to address some of the issues identified in the above report.
The ICO has said that it will take a pragmatic approach to enforcement during the Covid-19 crisis and will do what it can to educate members of the public in relation to setting their expectations until things return to some semblance of normality. However, it is likely that the flow of DSARs will continue, and therefore businesses should ensure they do all they can to meet their obligations in relation to data protection. If they can’t, they need to document the reasons for this just in case the ICO asks in response to a data subject complaint.
The Access Policies and Precedents library contains a DSAR policy which provides guidance on responding to data subject access requests, as well as template letters which can be used.
Download our Legal training catalogue for a complete list of our Policies and Precedents and compliance eLearning courses.
