“Information wants to be free”, was the old technology activist’s mantra – but someone has to pay the price. The catchphrase has taken on fresh meaning since the General Data Protection Regulation (GDPR) came along. It’s made people more aware they are entitled to copies of information about themselves, and it’s placing a heavy workload on organisations who have to comply. In this blog, I’m going to look at five ways to make this process easier to manage – and where it’s appropriate to push back.
Since May 2018, there has been a noticeable increase in data subject access requests (DSARs, or more commonly SARs). I know of one client whose SARs increased by more than 60 per cent in the past year. A survey of businesses in the UK by Parseq had a similar finding. Almost two-thirds of UK businesses reported that data access requests had risen since GDPR. Of that number, a huge majority faced challenges in responding effectively to those requests.
And that’s before we get to spurious requests, or what a younger generation might call ‘trolling’. I know of one case where a shoplifter submitted an access request for a store’s CCTV footage to check if they’d been caught in the act.
So what’s behind the increase in subject access requests? In many cases, they’re coming from employees who received training in data protection (it’s a requirement under GDPR). As a result, they all know that they can ask for copies of their HR files. Another factor behind the increase in SARs is higher public awareness about their right to information under the regulation.
What’s more, they can submit a request for free, so why wouldn’t they? It doesn’t cost them a thing. The cost transfers to the data controller instead. The increase in SARs has put a huge workload on organisations to compile and prepare this information. Firstly, there’s the cost of having a member of staff to work on the request (and the cost of the business disruption as a result). It’s not possible to automate this; a SAR needs human eyes, there is no other way around it. A lot of time and effort goes into the manual work to compile the data, read it carefully, and then redact information that is either commercially sensitive or relates to other people.
A second cost is where the organisation needs to search through its email archive or its CCTV footage. This may well involve making a request from their IT supplier to perform these searches. It’s also worth noting that you must carry out a search under a range of different options; not just the person’s name, but different spellings and even initials, to make sure you haven’t missed anything.
So, to make a long story a bit less long, SARs can be a big drain on resources for data controllers. Understandably, many organisations are confused about what they need to do. Here are my five tips that should help make the process easier.
Many people use the free template on the Data Protection Commission’s website when they send a SAR. But the problem is, the wording of this is so broad that it creates a huge burden for data controllers. “I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form in relation to…”
But you can get creative to see if you can narrow what you need to look for in the first place. If a SAR comes from an existing member of staff, it’s often simpler to set up a meeting. Invite them to come and meet HR and offer to photocopy whatever information they want to take.
In cases where it’s someone outside the organisation, there is nothing to stop you from contacting them and explaining the situation. You might say: ‘we have a lot of information about you, can you tell us exactly what you’re looking for?’ This really cuts down on the amount you need to search. (Sometimes the SAR letters come from solicitors and are tied to legal actions; in those cases, calling back might not be appropriate.)
Now that SARs are here to stay, it means everything in a file is potentially up for grabs. So it’s vital for data controllers to explain to all staff members that they need to keep records in a professional manner. I’ve been involved in SARs where I’ve seen the devil smiley face emoji, or worse, where someone complains that ‘so and so is a head wrecker’. Guess what? GDPR considers examples like those as expressing an opinion about someone. So it’s personal data the controller needs to disclose in a SAR. Not a good look for the organisation in question if it’s about a customer.
For SARs relating to an employee, you should narrow the field to internal communications that only relate to their employment. That could be emails to managers only, so you can exclude emails to customers, since that’s just the person doing their job. If the HR people are recording this communication properly in the first place, it makes internal SARs much easier.
The rules of GDPR give data controllers 30 days to respond to a SAR. They can also apply for an extension of a further 60 days if the information proves hard to locate. In my experience, many organisations instinctively respond to the request with a standard acknowledgement like ‘thank you for your request, we will be back in 30 days’ before they’ve even begun looking for information about that person or they even know if it will be possible to achieve in that timeframe. Yet nowhere in GDPR does it say you must acknowledge a SAR immediately.
Instead, my advice is that as soon as you get a request, start compiling the information about the data subject. Give yourself 10 days to get the data, so you’ll have an idea of how much there is. When you have done that and reviewed the information, only then should you contact the subject. By that time, you’ll be better able to say if you can complete the request within the original timeframe or if you will need an extension. And remember, the extension is yours to avail of; when you inform the data subject, you’re telling, not asking.
CCTV footage comes up a lot in SARs, and under GDPR, it can be part of an access request. If it’s possible to identify the person, then you must provide the images to them. Many organisations I know hold CCTV files for far longer even though they don’t need to. It’s worth only storing this data for 30 days, in line with DPC recommendations. Not only is there a huge resource cost to identify people from footage – especially if the request doesn’t specify an exact date or time – but there’s a financial cost too. If other people are in the footage, you must blur out their faces, and I know of some cases where the price for this service was around €800.
It’s also worth knowing what the exemptions are. Data subjects are only entitled to request images that they are in. For example, they can’t ask for images to see if someone pranged their car in a car park.
Although GDPR talks about ‘data’, this term covers not just electronic records but physical hard-copy files too. However the regulation states that any documents in a SAR must be in a filing system of some kind. For HR files, that might be everyone’s employee files kept in alphabetical order. If you can find a paper document easily, you must give it to the data subject who requests it. But the regulation also includes the concept of disproportionate effort. If it is stored in a random box of papers and would take too long to find, you may be able to use this concept to exclude this information from a SAR. That might be a visitor book and would involve reviewing pages and pages to identify someone’s signature.
There are exemptions to the right of access. A data controller can refuse to act on a SAR if it can show that it is not in a position to identify the data subject (Article 12(2) of the GDPR); or if the SAR is manifestly unfounded or excessive, in particular because of its repetitive character (Article 12(5) of the GDPR).
Don’t interpret this as an excuse not to keep proper records. GDPR is a great opportunity to manage your data better. SARs are a fact of life, but with the right approach, they shouldn’t cause your organisation undue effort.