By Lenitha Bishop, Head of DPOs, The DPO Centre.
The number of data subject access requests (DSARs) that UK companies will receive from clients and suppliers is set to increase considerably in 2021 according to the latest UK Data Protection Index results which highlighted there has already been a 66% increase in the average number of DSARs received since July 2020. Many companies are already struggling to adhere to data compliance obligations and Covid-19 has undoubtedly increased the pressure.
What is a DSAR?
The implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 has seen a significant number of individuals (data subjects) invoking their rights provided to them by these laws. These include the right of access (known as a Data Subject Access Request or DSAR), the right to be informed, the right to erasure, the right to object, etc.
For many organisations, it is DSARs that are the most common of these rights to be exercised and sometimes the most onerous to fulfil, especially given the strict response times that must be adhered to.
Your customers have the right to know if and how your organisation is processing their personal data, and if so, to be provided with a copy of such personal data, along with other supplementary information regarding the nature and scope of the processing. Whilst the latter of which should form part of your privacy policies/notices, the provision of copies of personal data can pose its own problems. Responding to DSARs can be time very consuming for organisations and in most cases they have only one calendar month to respond to the request.
It is important that such requests are handled fairly, ensuring that the application of these rights do not undermine other obligations on you, such as preserving the data protection or privacy rights of third parties, preserving any confidential duties, ensuring compliance with law enforcement activity, social work and so on.
Providing copies of a data subject’s personal data can often create further challenges and questions, such as:
- What if their personal data was provided to you in confidence, such as from a confidential informant?
- What if their request is going to be time consuming or particularly voluminous?
- What if someone else is requesting the data on behalf of the data subject?
- What if the data identifies other staff or staff from other stakeholders?
These are just some of the considerations that need to addressed as part of your company DSAR response.
The rise of DSARs amongst employees
The increase is likely due in part to employees becoming more ‘data savvy’ in requesting details of all the data an employer is holding on them. This may lead to more companies facing additional responsibilities and costs, which could be exacerbated further by the current business climate, for example, if an organisation decides to make employees redundant as a result of Covid-19 and those employees submit DSARs in an attempt to understand the data behind the decisions, sometimes as a precursor to claims and tribunal action.
Increasing rise of customers asking how your business is handling their data
The rise is not solely due to employees, clients and customers are also becoming more aware of their data rights and have more time to submit a DSAR, whilst working from home.
A separate consumer study by The DPO Centre revealed that six million UK adults2 have considered submitting a DSAR after feeling that a company had mishandled their personal data. Those aged between 18 and 34 years old are most likely to have considered submitting a DSAR (20%) compared to those aged 35-54 (14%) and 55+ (4%). The two studies combined indicate that companies can expect to see a big increase in DSARs in 2021, therefore companies need to have the right procedures in place to minimise disruption.
Seven steps companies can take when handling customer data
- Be open and honest about the personal data you collect and how it is used. Publish these details in your privacy notice
- Ensure your privacy notice is reviewed regularly and kept up to date
- Make it simple for data subjects to exercise their rights under data protection law by providing them with an easy way to contact you
- Respond to data subjects’ rights requests without undue delay and within the statutory timescales, usually one month from receipt
- Take a proactive approach to safeguarding data subjects’ rights by employing data protection by design and default (‘privacy by design’) principles when introducing new technology and processes
- With Brexit now behind us, companies need to understand the potential ramifications of the UK failing to receive an adequacy decision by June 2021 and how they can ensure international dataflows can continue
- If you process data on EU residents, but you do not have a presence in the EU, you may be legally required to appoint a Representative within the EU.
DSARs can be complex by their nature. If your organisation receives a DSAR and you are unsure of how to process it, it is important that you seek further advice or guidance from a Data Protection Officer (DPO) or advice from a privacy specialist. The DPO Centre has published a comprehensive white paper on the subject that can be downloaded by visiting www.dpocentre.com/dsar-whitepaper/
1 The UK Data Protection Index (organised by The DPO Centre and Data Protection World Forum) is published quarterly and offers a unique picture of the Data Protection Officer profession and its evolving views over time. If you would like to join the panel please visit www.thedpindex.com.
2 Research conducted by Opinium Research, 13-17 November 2020 based on a Nationally representative weighted sample among 2,000 adults in the UK. 11% (229/2000) of the 52,673,000 million of UK adult population = 6,031,059