Dealing with Data Subject Access Requests
27 October 2020
Receiving a Data Subject Access Request (a ‘DSAR’) can be tricky for any organisation. In addition to the additional work created for overstretched IT, HR and data privacy personnel, the potentially thousands of documents that a DSAR can cover need to be analysed, redacted and reproduced for the data subject, all within the deadline of a calendar month.
Organisations can be on the receiving end of DSARs from clients or customers, employees or workers and even members of the public. Ultimately anyone who you process personal data about can make a DSAR. In a workplace context, as acrimonious settlement discussions and redundancies are ticking up (courtesy of Covid-19) so are the number of DSARs.
What is a DSAR – and why are they hard to deal with?
The GDPR provides that a data subject – an ‘identified or identifiable natural person’ - has the right to receive confirmation from a data controller as to whether or not their personal data is being processed and (where it is) have access to that personal data, plus some ‘supplementary information’ including how it used, whom it is shared with and so forth.
‘Personal Data’ means (in simple terms) any information relating to the data subject. In an employment context this means that DSARs can cover not just ‘typical’ HR data such as that stored in the personal file, HR information systems, or payroll platforms but unstructured data contained in things like emails, meeting minutes and appraisal forms. When you consider how many emails a typical employee sends and receives in even a year, this puts a vast amount of data potentially within scope. While some DSARs will be focused on very clear topics, many data subjects will simply request all of the data a controller holds. Dealing with such requests can be complex and time consuming.
Not only will a data controller need to consider how to deal with the scope of the request in a fair and proportionate way, they will also need to consider the rights of third parties - which may require the redaction or removal of third party data in some cases. This, alongside the frequent need to ensure that any legally priviledged material is removed, means that a detailed review of the data is required before it can be disclosed.
Why are they linked to disputes?
A disgruntled employee may bring a DSAR to gather evidence for an Employment Tribunal claim or simply to increase pressure on an employer with the aim of securing a favourable exit package. Therefore, in the current climate of economic downturn and increasing redundancies, and with affected employees feeling they have little to lose in bringing a DSAR, they are only set to increase.
With big-name companies’ data breaches receiving high-profile news coverage, and templates for DSARs being readily available online, employees (and indeed customers) are increasingly aware of their rights when it comes to personal data. Moreover, both employees and Claimant lawyers know that - if nothing else - dealing with a DSAR can be time intensive and costly for an organisation, making them an easy tool with which to put pressure on an employer.
5 top tips for handling a DSAR
1. Remember that the clock is ticking!
The 30-day deadline will rush up quickly and you will need to act fast. Make a note of the date on which the DSAR was received and plan out how you will manage the response. Remember that for complex requests, it may be possible to extend time for a further two months.
2. Be prepared!
The ICO has recently issued guidance on DSARS that emphasises the importance of having appropriate systems and processes in place to help you manage requests. Having a clear DSAR policy will not only help your employees recognise DSARs and act quickly, but will also help the rest of the process run more smoothly. Such a policy should make clear who lead on requests, particularly as DSARs will typically involve coordination between departments (usually HR and IT at the least). Having a comprehensive, well-drafted privacy notice that covers the ‘supplementary information’ that needs to be provided to the data subject will also put you in good stead.
3. Start searching!
Carry out a high-level search as soon as possible, to give you a feel for the size and scope of the data pool you will need to review. What departments will hold the data you need? In what format will it be stored? Does the data subject have a common name, nickname or initials that will return large numbers of ‘non-material’ data, not relevant to the DSAR? Will a lot of third party data have to be redacted? Consider whether the answers to these questions might mean that the request is ‘complex’ for the purposes of extending time.
4. Hone your searches
Keyword searches using variants of the data subject’s name will almost certainly be needed (if not explicitly requested) as part of a DSAR. However, in many cases this alone will produce tens of thousands of documents. Combining name searches with other contextual search terms (‘grievance’ or ‘redundancy’, for example) can help you focus in on the relevant data, but you may need to contact the data subject for their input on this process (particularly if you have received an ‘all data’ request with no context to help you).
5. Utilise technology
Your IT department (and good communication with it) will play a huge part in achieving the above steps, and with complying with your obligations under the GDPR. They are likely to be your best means of both gathering and then searching the data, particularly given the short deadline. Understanding what is, and is not, possible on your systems is important.
What can we do to help?
We have a team of lawyers who specialise in data protection and who have a wealth of experience in handling DSARs (and in particular onerous and excessive requests). More information about our service can be found here.