Saha Dehsheykhi
Senior Associate
Article
9
Managing data security, compliance and cyber risk are key topics for any company board – especially as technology evolves and the business and regulatory environment changes apace. Staying ahead of developments is crucial for any organisation as it looks to grow its business, manage potential risks and demonstrate good governance. Yet, while focusing on the future, it's also important to evaluate existing policies and practices to ensure you have the fundamentals covered to manage data and cyber risks.
Our 'data and cyber school' series focuses on some of those fundamentals – exploring key challenges companies may face, tried and tested prevention strategies and how to respond to a potential issue or cyber breach. In this first article, we focus on data subject access requests (DSARs), providing key pointers on how to effectively manage these requests and avoid the costly impact to finances and reputation of getting things wrong.
The right of access in Article 15 of the General Data Protection Regulation (GDPR) gives individuals a right to obtain a copy of their personal data from organisations, as well as other supplementary information about the processing of their personal data. This includes where they got their information from, what they're using it for and who they are sharing it with. The other supplementary information must be provided to the individual in response to a DSAR, whether the individual requests it or not.
Personal data is defined as "any information relating to an identified or identifiable living individual". What identifies an individual can be as simple as their name, National Insurance number or date of birth, but other information that relates to the individual may also allow you to identify them.
On receiving a DSAR, an organisation must respond within one month of receipt of the request. Although, this timeframe can be extended in some cases, if the DSAR is complex. It's important that organisations respond to these requests effectively and within the set timeframe in order to meet requirements and avoid the impact of potential fines or reprimand if they are found insufficient in this area.
During the period April 2022 – March 2023, the Information Commissioner's Office (ICO) reported receiving 15,848 complaints relating to DSARs. Overall, however, the total number of DSARs across all organisations in the UK is likely to be much higher, as many will be handled without direct ICO involvement. So, it's important that organisations are well prepared to respond to such requests and draw on available guidance to ensure that they have processes in place to support taking action when needed.
"I would like a copy of all the information you hold about me…"
This is a question an organisation may face at any point from customers, employees and other stakeholders and plenty of businesses and in-house lawyers will be familiar with such requests. Over the years, we've seen an increase in the number of calculated and tactical DSARs. You know the ones we're referring to – the angry customer, the distrusting ex-employee or someone with a hidden agenda. That's not to say that everyone making a DSAR has some form of ulterior motive, but it's no surprise that when legal advisers are brought in to advise on such matters, then something has gone markedly off beam…
Mishandling a DSAR can result in complaints to the ICO and, consequently, bring the risk of potentially substantial fines. Individuals may also have the right to take legal action for damages arising from a breach of data protection legislation and for misuse of private information. The recent case of Bekoe v London Borough of Islington [2023] EWHC 1668 (KB) attests to that right. The outcome of this case saw the High Court award Mr Bekoe £6,000 in damages for breach of the GDPR, as a result of an inadequate and delayed response to his DSAR.
To help organisations respond effectively to these types of requests, we've compiled a key points summary, including some of the lessons learnt from cases relating to DSARs:
Organisations must respond to a DSAR "as quickly as possible", "without undue delay" and within one month. The time starts running from the day the organisation receives the request, even if that day is a weekend or public holiday. While this timeframe may be extended by a further two months, it can only be done so if the request is complex, or if your organisation has received several requests from the same individual.
On receiving the request, your first step should be to communicate with the data subject – even if this is simply a holding response. In the event that more time is needed to respond to the DSAR, you will need to let the individual know and explain why. The process will be less contentious if you are already liaising with them and your interaction is with a view to helping. In contrast, responding to the individual at the last minute to explain more time is required may lead to further issues down the line.
When communicating, do your best to understand, specifically, what the individual is after – can you closely define the date / time parameters? Are they asking for emails between specific personnel? Or is it a specific document they are trying to locate? This will help to narrow the scope of the request – an essential part of effectively managing a DSAR.
Search terms, filters and de-duplication will help to further refine the scope of the DSAR. A company can't simply ask for more time to deal with a DSAR because it does not have a sufficient process / policy in place to deal with it – for example, whereby data is kept in multiple folders, not labelled appropriately, not searchable, isn't kept up to date etc.
Our Data Protection & Cyber Security team has helped clients whittle down thousands of documents and emails to double digits using a platform that assists with DSARs. This is done through careful programming to define and run appropriate search terms, time parameters, deduplication, de-threading and, importantly, redaction (more on this below). This makes the reviewing process more straightforward.
Under GDPR, you are required to provide copies of the individual's personal data in response to a DSAR – not entire email chains or documents that contain these details, and certainly not the personal data of others. This will mean that once you've minimised the scope of the request and narrowed down the results, you will need to set some time aside to carry out or check the redactions. On the latter, specifically, it is important to agree and implement a consistent redaction process.
In collating the required data, emails must be reviewed pursuant to monitoring policies and relevant employees informed in line with transparency requirements. Email monitoring for this purpose should be: (i) necessary; (ii) on legitimate/lawful grounds of processing; (iii) proportionate; and (iv) carried out on the basis of having been transparent with employees.
Article 15 of the UK GDPR states that the controller should also give other information in the DSAR response, including information about: (i) the purpose of processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data has been or will be disclosed; and (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. This is something that is often forgotten about. It is not simply a case of sending copies of the individuals' personal details in a zip-file.
In addition to compiling all of the above information, crafting the DSAR response itself will take time. When doing so, don't forget that the information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is an area where businesses often welcome support and our team has helped a wide range of organisations present their response in a particular way to avoid having to disclose large and potentially sensitive documentation, while also ensuring the content is laid out in a way that is easy for the data subject to review.
On receiving a DSAR, it is important to clarify the request at the outset. As the clock starts ticking from when the request lands, time can be saved by clarifying what information is being sought. Taking this first step will help to better understand the scope of the request and ensure it is processed swiftly and effectively – ensuring resources are deployed appropriately and the request managed on time and in line with requirements.
Managing this process can be improved by drawing on the technology available to help compile the necessary information in an efficient and timely way. The amount of time involved should not be underestimated and will need to allow for both managing data collation and presenting the results in a clear and easy to understand way.
To talk further on any of the areas discussed in this article, please contact Amber Strickland or Saha Dehsheykhi in our Data Protection & Cyber Security team, which brings in-depth experience in advising on all aspects of the DSAR process; from identifying a DSAR, advising on data collection and appropriate search methodologies, managing timescales for a response and exemptions, to appropriate redactions, conducting a review via our DSAR platform, and preparing a response.
For more insight into data and cyber fundamentals as part of our 'data and cyber school' series, you can also sign-up to our mailing list.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.