Under UK data protection legislation, individuals, also called “data subjects”, have the right to make a data subject access request (DSAR) to organisations that “process” their personal data. Similar rights are required by both the EU’s General Data Protection Regulation and the California Consumer Privacy Act. Amongst other things, as part of a DSAR, data subjects can expect to receive a copy of their personal data.
While DSARs are not a new right, they continue to be a challenge for organisations, quickly draining resources needed to deal with them. This begs the question of why they are such a burden to deal with. We explore this in more detail in the article where we cover topics such as:
- The breadth of the initial request from the data subject;
- What “Personal Information” means and the potential difficulties with locating information;
- The possibility of internal conflict where a DSAR may expose limitations in policies or procedures;
- The efficiency needed to complete a DSAR within the timeframe; and
- Dealing with tribunal proceedings alongside processing a DSAR.
Preparation Will Be Key to Managing Any Challenges
The ICO reported over 15,000 subject access complaints last year. If organisations fail to respond to a DSAR within the time limit, they could be in breach of their obligations under Article 15 of the UK General Data Protection Regulation. This may lead to more than a fine or a reprimand from the ICO. The individual making the request is likely to be quite unhappy, and, depending on the circumstances, such individual may bring a subsequent claim against the organisation and the ICO may wish to delve deeper into the organisation’s data protection practices.
Whether or not your organisation receives a DSAR on a regular basis, the ICO states that it will be important to prepare and take a proactive approach to compliance.
Check out our article where we explore the above in more detail