Under GDPR, there is a specific way to deal with data subject access requests. But how can you manage them effectively while remaining compliant?
Companies hold the personal information of individuals, which these individuals have the right to access. Refusing to provide the information is only acceptable if an exemption or restriction applies. Or in the case where the request is manifestly unfounded or excessive.
Individuals (data subjects) have the right to access and receive a copy of their personal data and other supplementary information. This is commonly referred to as a data subject access request or 'DSAR'.
In general, companies have to respond to a DSAR without undue delay. The latest you can respond to a request is a month from the time that you received the request. Failure to respond to a request at all after 40 days will result in regulatory action and fines.
There is the option to extend the time limit by a further two months when the request is complex or if you have received multiple requests from the same individual.
Recently, Nigel Farage claimed that his bank accounts were closed by Coutts, a private bank, due to his political views. Following Farage's DSAR to Coutts, there has been a raft of other DSARs from banks. Coutts responded to Farage's DSAR by providing a 40-page document of information. This included details of Farage's account as well as communications between Coutts and the media about Farage.
This case has revealed that banks keep detailed records about their customers, including information on their political views and communications with the media. The ensuing raft of other DSARs from banks is likely to put pressure on banks to be more transparent about how they collect and use customer data. This also opens the door to banks coming under fire for violating customers' privacy.
It is a compliance requirement to respond to DSARs within a specific timeframe. Failure to adhere to this legal obligation could result in regulatory investigation and action. The ICO will issue reprimands and fines for these failures.
A reprimand is a written notice that details key compliance issues that the ICO has found and sets out the provisions of the legislation that have been breached. It also makes some recommendations on how the company can improve its compliance.
Fine amounts can be up to £17.5 million or 4% of the company's total annual worldwide turnover in the preceding financial year. Whichever of the two is higher.
Furthermore, individuals who have not had their DSARs handled correctly and have experienced distress could seek financial compensation. These consequences not only impact a firm financially but also damage its reputation.
The organisations listed below collected and processed personal data and then failed, on multiple occasions, to respond to DSARs either within the legal timeframe or at all. The ICO has taken regulatory action by issuing a reprimand against the following organisations:
It is important to note that in most cases, companies cannot charge a fee. Clearly, DSAR fees intend to be nominal and deter those seeking to frustrate or hinder the usual business operations by making vexatious requests.
Under GDPR, companies can only charge fees for data access if the subject's request is repetitive, excessive or unfounded. But the burden of proof rests with the data controller.
GDPR, Article 12 (5) states that the response to a DSAR must be provided free of charge. Except when the request is deemed to be manifestly unfounded, excessive or repetitive in character, the Data Controller can either levy a reasonable fee, taking into account the administrative burden associated with a response or refuse to act on the request.
However, with either option, the burden of proof relating to the request's manifestly unfounded, excessive or repetitive nature lies firmly with the data controller. When choosing not to reply to a request, the Data Controller must, within one month, advise the data subject why and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.
Assuming that the Data Protection Officer (or similar) is responsible for coordinating the response and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption that a DSAR response would involve a minimum of two people.
Staff would spend at least one hour dealing with the request. That would result in a DSAR "earning" the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated with responding.
However, a small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer, on the other hand, would likely be paid. Although such a small fee does not cover the time spent responding to a DSAR, it will to some extent, deter multiple requests.
When requests are vexatious, the requestor would likely not pay a fee if asked. However, they may continue to make DSARs, write letters, send emails or call to waste the firm's time and money. This approach is often taken by disgruntled customers, who have, in their mind, had their own time and money wasted.
This is despite GDPR providing a Data Controller with the right to levy a fee in such circumstances. Charging a fee is unlikely to bring an effective resolution to the harassing and pestering activities of someone determined to cause disruption.
However, refusing to respond to such requests as they appear manifestly unfounded may be a more economical route for the Data Controller. Although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why they are not responding and why they consider the request manifestly unfounded.
Likely, the subject will still consider their request to be legitimate. As the situation is subjective, further commentary and/or communication between the parties may be needed until either the requesting party concedes or complains to the supervisory authority. Hence, doing little to reduce the impact of such vexatious requests.
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.