GDPR: Impact of Increasing Volume of SARs
Hard lessons have been learnt since the EU's General Data Protection Regulation (GDPR) came into force in May, 2018, resulting in record-breaking fines and reputational damage for a growing number of the world's biggest corporations.
And, with the continuance of regular news stories involving “accidental” data breaches, cyber-attacks, and wilful disregard for personal information, we hardly need to mention the long list of offenders, along with their explanations for these incidents.
However, whilst there may be no acceptable excuses for non-compliance, as far as the law is concerned, it would be fair to say that, for the majority of companies that do business in EU states, the GDPR learning curve has been long, steep, and expensive.
Now, fifteen months since the GDPR came into effect, we take a look at an issue which, although not entirely surprising, is becoming a major concern for businesses, as they continue grappling with the law's legal requirements:
SUBJECT ACCESS REQUESTS
Subject Access Requests (SARs) are increasing rapidly, as individuals exercise their rights to access their personal information.
During the time when the GDPR was being debated and drafted, a number of organizations expressed their concerns that SARs were being weaponized by the GDPR to be used against them. This fear was subsequently realized as the GDPR began to take effect.
There has been an exponential increase in the number of data access requests being made, largely due to privacy concerns. SARs also have been used to support other legal matters, for example, when an employee is preparing to sue their employer.
However, the legal right to know what data an organization holds on an individual has been available to EU residents long before the GDPR was made law. Even countries that have not yet passed data privacy laws include the right of access in a constitution or other law.
So, although SARs are not completely new under the GDPR or the Data Protection Act 2018, there are certain important changes that businesses could potentially be caught out by.
The Three Key Changes Under the GDPR
Firstly, under the Data Protection Act of 1998, companies could charge a £10 fee to the individual making a Subject Access Request. However, the GDPR does not allow such charges to be applied unless a request is “manifestly unfounded or excessive, in particular because of its repetitive character”.
Companies are permitted to charge a “reasonable fee” when taking into account the administrative costs of providing the information, or they can refuse to facilitate the SAR altogether. Although this might discourage particularly burdensome SARs, there is no official guidance on what is meant by “manifestly unfounded” or “excessive”. The company itself must demonstrate that the request is "manifestly unfounded" or "excessive". Consequently, there would be a risk to rely on it accept in extreme cases.
Second, under previous data protection law, a company was given up to 40 days to respond to a SAR. However, under the GDPR, companies are required to respond within one month, with a possible extension of two additional months for a particularly complex request, or if there are numerous requests.
If additional time is extended, the company is required to inform the individual and provide the reasons for the extension. The period of one month begins from the moment the company receives a verifiable request.
The third key change is that SARs are no longer required to be made in writing. Requests may be made verbally by phone, via email or social media. The term "subject access request" does not need to be used. It must be made clear that the individual is requesting access to their own personal information, and not that of another person.
Training and Handling
The above three points highlight the importance of ensuring that all employees within an organization understand what a SAR is, and how to handle it.
This calls for general awareness education at the very least, for all employees, plus in-depth training for all staff members responsible for the processing and maintenance of personal data.
Specifically in terms of facilitating SARs, this requires rolling out appropriate training not only Data Protection and Compliance personnel and the HR department, but also management and others who might receive a SAR from a current or former member of staff.
In many cases an individual may simply wish to know what data is being held on them, in order to check its accuracy. They might also request that some or all of the data be deleted, or convey their objection to the processing of their personal data altogether.
In the case of employees, both past and present, it is unlikely that employers will be able to comply with most requests for erasure, or objection to processing, and therefore should not rely on consent in order to process employees' personal data.
However, the GDPR, as with most of today's privacy laws, are designed not only to allow individuals to see what information organizations have about them, but also to improve the quality and accuracy of data and enable participation in how and what data is processed.
But ...while SARs can assist with these purported objectives, feedback from data privacy professionals has suggested a different motivation behind the recent increase in SARs…
Privacy and Trust: Payback Time?
A recent article by Dataguise notes that for the past 20 years, organizations have amassed more and more data, using carefully crafted legal mechanisms, such as notices and contracts, to maximize their ability to collect and use personal information. But at some point, we reached a tipping point as digital consumers.
While we were busy enjoying the speed and convenience of newer and better digital technologies, we gave away our personal privacy to organizations we assumed we could trust—and felt there was nothing we could do, even if we wanted to do something about it.
Terms and conditions for online services are complex, lengthy, and hard to read, while privacy notices meant to clearly explain how personal information is used, are anything but clear. We scroll down, click the button, and accept them anyway, not even trying to make sense of what they say. We put up with opt-out buttons that are not easy to spot. We go online knowing everything we do is monitored and monetized. And while we may appreciate the increased relevance of the online ads served to us, those ads are a constant reminder that our activities and interests are regularly shared among companies.
But it wasn’t until data breaches became daily headlines that the loss of personal privacy turned into a loss of consumer trust in business. And it wasn’t until the GDPR - with its worldwide media attention on catchy concepts like the “right to be forgotten” - that consumers finally realized they had a way to fight back.
Responding to SARs: Important Points
Whilst there is no quick-fix for responding to an ever-increasing number of Subject Access Requests, other than improving the efficiency of processes and/or increasing staffing levels, the following fundamentals, should be observed in all cases:
Can you identify a living individual from the data - even if it has to be read alongside another document? Documents that have been properly anonymized might not necessaly contain personal data.
Does the information specifically relate to the individual or their activities? e.g. an email from the HR department to all employees concerning health and safety training is unlikely to contain any personal data.
What is the company’s purpose for retaining the data? If it is not for the purposes of maintaining record about that individual, or to make decisions that directly concern them it might not be deemed personal data.
The Information Commissioner's Office gives the example of data being held in order to monitor the efficiency of a piece of machinery, rather than any data held about the employees who operate it.
Are there any exemptions that apply? e.g. is the information covered by legal privilege or does the exemption for confidential references apply? Under the old regime this only covered a SAR made to the provider of a confidential employment reference. However, under the GDPR employers who are providing OR receiving confidential references can rely on an exemption under the Data Protection Act of 2018.
Does the data identify any other individuals? Special care must be taken when dealing with such data. Advice should be sought from a qualified data privacy practitioner. It is vitally important to consider whether or not other individuals have given their consent for that data to be disclosed.
Have SARs Changed the Data Privacy Landscape Forever?
Despite the unwelcome cost and “inconvenience” the GDPR has brought, the new law provides a positive new path for consumer privacy. Depending on your viewpoint, it encourages - or enforces - a more responsible approach to the handling of peoples’ personal information, it requires demonstrable compliance, and it requires a much greater degree of transparency over how personal information is processed.
More importantly, it does a very good job at upping the ante, from relying on policies, to designing better processes, and the monitoring those processes.
As businesses improve data security and the overall protection of personal information, as well as they way they collect, process, and share that data, the nature of their interactions with data subjects will also evolve.
It could even be that the number and nature of SARs a business receives provides highly useful metrics for gauging the degree of trust consumers place in them.