14 min read

Data subject access requests: understanding the right and easing the burden

Read more

By Jade Kowalski, Charlotte Halford, Chris Air & Peter Given

|

Published 11 July 2024

Overview

The right of access (or DSAR) is a fundamental pillar of data protection law, allowing data subjects to obtain a copy of their personal data from an organisation. Through the exercise of a DSAR, individuals are able to understand what personal data is being processed, how it is being processed and for what purpose. The right is inherently linked to the "lawfulness, fairness and transparency" principle, as complying with a DSAR requires an organisation to be open and honest regarding their processing, and an individual can assess whether their personal data is being processed in a fair and lawful manner.

However, for many organisations this "fundamental right" can quickly become an expensive, resource-intensive and troublesome compliance burden (particularly given the short period of time in which to respond – one month unless an extension can be applied). This burden is even more acute where organisations hold a large amount of data in various systems and tools.

In this article, we look to examine the modern landscape surrounding DSARs whilst also providing some practical tips for handling and responding to them effectively and, hopefully, in a way that eases the compliance burden.

 

A soar in SARs – what are the causes?

If we look across the last decade or so, many organisations are receiving an increasingly greater number of DSARs from customers, employees and other individuals. There is a myriad of reasons why organisations receive DSARs and why, for some organisations, the number of DSARs is increasing. Understanding these reasons and taking steps to address those within the organisation's control, may help to reduce DSAR numbers. So, what is driving DSARs?

 

Greater awareness of data protection and personal data rights

While the right of access is not new, awareness of the right (and other data subject rights) has increased over the years. There are a number of reasons for this. The GDPR requires organisations to be transparent about data subject rights in their privacy notices. Similarly, the ICO now publishes for more detailed guidance on its website for individuals, providing instructions on how a DSAR can be made and what an individual is entitled to receive.

However, arguably a greater driver of public awareness are resources such as consumer choice websites, who promote subject access requests as a method of obtaining information from an organisation as part of the exercise of wider consumer rights (e.g., claiming compensation for mis-selling). News reports of high-profile individuals (including Nigel Farage and Caroline Lucas) making DSARs, and the consequences flowing as a result, have also raised the profile of this right.

 

Rising levels of litigation and complaints

Gallagher has recently reported that the levels of litigation for UK businesses are increasing. Some of the contributing reasons for this are the cost-of-living crisis, economic instability and a generally more litigious society. In a somewhat parallel trend, the Financial Ombudsman expects a greater number of complaints over the coming year due to factors including financial concerns such as unaffordable lending, credit card complaints and scams.

It is common for a DSAR to accompany a dispute a customer or employee may have with an organisation, whether that be a customer service complaint, an employment claim or something else. The motive behind these DSARs can be to force a pre- or parallel-disclosure exercise to obtain documents containing a 'smoking gun'. Similarly, a DSAR may be used to exert pressure on an organisation alongside the litigation or complaint. In some cases, we see DSARs raised simply out of frustration or anger, and not as part of a litigation strategy. These DSARs arise as a result of perceived poor customer service or mishandling (including, where there have been delayed payments or refunds, late deliveries, etc).

A rise in disputes and complaints across UK businesses is likely to go hand in hand with an increase in the number of DSARs.

 

The luxury of time

During the COVID pandemic, many organisations also witnessed a rise in DSARs. Some of these DSARs were borne out of frustrations or complaints (see preceding section). However, some of our clients have mused that DSARs may also have been raised in part because people had more time to raise them given that shops and hospitality venues were closed, and many people were furloughed.

In a similar vein, a downturn in the economy, where individuals go out less or, even worse, are made redundant, is also likely to be associated with an increase in DSARs, in part as a symptom of frustration, but also as a result of available time to raise DSARs. It is for this reason too that some clients see seasonality in their DSARs – a fall in the number of DSARs may occur around Easter and in the lead up to Christmas when individuals are preoccupied with festivities, with spikes following thereafter.

 

The regulatory and judicial approach to DSARS

Perhaps unsurprisingly, the rise in DSARs has been accompanied by a parallel rise in judicial and regulatory scrutiny, both in the UK and the EU. In the UK, DSARs continue to be the most complained about area of data protection law – approximately 40% of complaints handled by the ICO relate to Article 15 and the right to access personal data – and the ICO has taken enforcement action where it feels appropriate to do so. In 2022, the ICO named seven organisations against whom it took regulatory action for failing to comply with DSARs in accordance with the UK GDPR, including failures to comply within the statutory timescales. All seven organisations were issued with a reprimand.

In the EU, we have also seen enforcement (including fines) for non-compliance with the right of access. In June 2023, Spotify was fined approximately £4.3m for failing to comply with the requirements of Article 15 (specifically the requirement to provide information about the nature of the processing that must be provided alongside the copy of the requested personal data). More recently (July 2024), the Lithuanian data protection authority fined Vinted approximately £2m, in part because it had not implemented measures to be able to demonstrate that it had taken (or reasonably refused to take) action with regard to the right of access (in line with the accountability principle).

It is not just the regulators that have been busy. There have been a number of notable cases across the UK and the EU during 2023 and 2024, some of which we have summarised below.

 

Harrison v Cameron & ACL [2024] EWHC 1377 (KB)

This case, heard in the High Court, concerned the claimant's DSAR made to the defendant.

The claimant, a property investor, engaged the defendant and his company, Alasdair Cameron Limited (ACL), to complete landscaping work on his garden. The contract for this work was terminated before the project was completed. Subsequently, the defendant recorded heated conversations between the two parties where the claimant threatened him. The defendant then shared the recordings, which ultimately found their way to several parties within the claimant's industry causing an alleged loss of business to the claimant. The claimant then made a DSAR to the defendant requesting the identity of the recipients of the recording, which the defendant refused.

One of the issues the Court was asked to determine was whether ACL was required to disclose the names of the recipients to whom the recordings were shared (as requested by Mr Harrison in his DSAR). In considering the question, the judge considered the recent CJEU case in RW v Österreichische Post AG (C-154/21) (which, post-Brexit, is not binding on English courts – but the Court may have regard to it if relevant to the issues at hand (per section 6(2) European Union (Withdrawal) Act 2018)).

The judge followed that decision and held that Article 15(1)(c) of the UK GDPR means that the controller must provide the actual identity of recipients as opposed to the categories of recipients (where the requestor asks for this) unless it is impossible or the request is manifestly unfounded or excessive (if it is impossible to comply, only the categories of recipient need to be disclosed). However, in this case, the rights of others exemption (paragraph 16, Schedule 2, Data Protection Act 2018) was correctly relied upon by ACL – given the concerns it had about the claimant's harassing and threatening behaviour (the judge seemed to accept that the claimant's motive (to undertake hostile litigation) was a valid consideration in determining whether the exemption applied).

 

J.M. vs. Apulaistietosuojavaltuutettu, Pankki S (C-579/21)

In this case, the data subject requested from the controller (a bank) details of which of the controller's employees had accessed his personal data, when they did so and for what purpose (as the data subject had concerns over the lawfulness of the access). This information was contained in log files held by the controller. The CJEU considered whether employees of the data controller fell within the definition of recipient for the purposes of Article 15(1)(c) of the EU GDPR, and thus was something the data subject was entitled to know as part of the DSAR.

The CJEU held that the employees were not generally 'recipients' if their access was in compliance with the instructions of the controller as their employer. However, the log file could constitute the data subject's personal data, but whether or not the identity of the employees who accessed the data subject's personal data should be disclosed would require a balancing assessment of the rights of the data subject and the relevant employees. Among other things, the CJEU also confirmed that the context in which a data subject makes a DSAR does not influence the scope of that right – i.e., DSARs are motive blind.

 

F.F. v Österreichische Datenschutzbehörde (C-487/21)

This case revolved around a request by the data subject for access to emails and database extracts containing personal data held by the data controller (CRIF GmbH). In response to the request, the controller sent the data subject, in summary form, a list of his personal data. The data subject complained, believing he should have received a copy of the documents (e.g., emails and database extracts) containing his personal data. The CJEU was therefore asked to consider what constitutes a 'copy' of personal data in respect of the right of access.

The CJEU clarified that the requirement to provide a 'copy' of personal data for the purpose of Article 15 would not be satisfied through the provision of a general description of the data (i.e., a summary) or reference to mere categories of personal data. The CJEU ruled that the right of access is a right to a 'faithful and intelligible reproduction' of the personal data being processed. This could necessitate the provision of extracts from documents or databases (or even entire documents) if the contextualisation of the data is necessary in order to ensure the data is intelligible to the data subject (as required by Article 12(1) GDPR). This may particularly be the case where the absence of information constitutes the data subject's personal data (and this can only be provided through the provision of the document / extract).

While these cases are not binding on the English courts (as they post-date the UK's departure from the EU), they are noteworthy – not least given the English court's apparent willingness in the Harrison case to follow the CJEU's judgment. Of course, these cases are relevant to businesses that are subject to the EU GDPR.

 

Artificial Intelligence and SARs – opportunities and challenges

Organisations continue to explore ways that AI can improve efficiencies and 'open new doors' for their businesses. However, the increased use of AI within organisations may also create difficulties when DSARs are submitted in relation to personal data processed using such technology.

As part of the right of access, a data subject is also entitled to be provided with information about the purpose of processing, the existence of automated decision making that has a legal or significant effect on the data subject, as well as meaningful information about the logic involved in that decision making process. Explaining complicated AI technology and models in a manner that is comprehensible to a data subject when responding to a DSAR may create challenges for organisations. Organisations that are developing or deploying generative AI models will also need to ensure that they are able to comply with DSARs, including in relation to data contained in the training, fine-tuning, and output data, but also the AI model itself. This may not always be straightforward and the ICO has recently issued a call for evidence on engineering individual rights into generative AI models. Perhaps as an indication of potential issues here, noyb (the non-profit privacy rights organisation) recently filed a complaint against ChatGPT for failing to comply with a DSAR in relation to the data used to power ChatGPT.

Of course, AI tools can also potentially provide benefits regarding the retrieval and compilation of personal data in respect of DSARs themselves. This can potentially save time and cost (although such tools have a cost associated with them). There is also the potential for AI to apply simple redactions to information that the data subject is not entitled to receive. This improves consistency, reduces human error and allows specialists to spend more time on more complex aspects of the DSAR. Presently, AI is unable to entirely replace human involvement in responding to DSARs though.

 

Ensuring SAR compliance – top tips

Given the rise in DSARs, the regulatory and judicial focus, and the challenges posed by new technologies, it is easy for an organisation to feel overwhelmed in the face of DSARs. So, what steps can organisations take to make responding to DSARs more straightforward? Below we have set out a selection of some of our top tips.

  • Tackle the root cause: while it may be easier said than done, organisations should try to understand the driver behind the DSARs that they receive. Where DSARs arise as a result of wider commercial issues, organisations may wish to invest time and resources into resolving those issues in order to reduce the number of DSARs that are made in the first place. If DSARs are borne out of frustrations or delays with an organisation's services, can the organisation take steps to appease customers and reduce the temptation to reach for the DSAR? Even if this is not feasible, understanding why (and when) DSARs are made will help an organisation better plan for DSARs and ensure it has appropriate resources in place. For example, if the organisation typically sees a spike in DSARs in January, it can use this information to plan accordingly and ensure it has sufficient resource to deal with the spike.
  • Accountability, workflow and record keeping: It is important to keep a good record of the requests that are received and how they are dealt with, as well as to implement a good workflow to ensure DSARs are dealt with promptly and in accordance with the statutory deadlines. The collation of comprehensive records on DSARs can help organisations understand and tackle the root cause (see above). A weak workflow can result in deadlines being missed or delays in raising DSARs to the correct team, which can create pressure on in-house teams that is avoidable.
  • Train staff to recognise DSARs: There are no formal requirements for a DSAR, and a DSAR can be received in multiple forms. It is important that staff can recognise DSARs and forward them to the relevant individual/department so that the required deadlines are complied with. This will require regular training and awareness campaigns.
  • Don't delay and make use of the available time: The GDPR requires DSARs to be dealt with within one month – although this can be extended by two further months if the request is complex. We often see organisations run into difficulties in responding to DSARs by not taking steps to comply with the DSAR promptly upon its receipt.
  • Leverage technology: There are a number of technologies available to organisations that can help streamline the response to a DSAR. These include tools to assist in the threading and de-duplication of emails, as well as the application of reliable redactions.
  • Take time to understand the request: By truly understanding the request (and asking for clarifications if necessary), organisations can potentially improve their searches, streamline the documentation for review / redaction and provide the personal data the data subject is truly interested in (and hopefully reduce the likelihood that the data subject will complain about the handling of the DSAR). This may not be possible where the data subject requests "all their data" and refuses to engage in requests from the organisation to clarify / focus the request, but there are still many requests where this strategy will pay dividends.

At DACB, we regularly support clients with DSARs, and we offer an outsourced DSAR service. If you would like to discuss the points raised in this article, or our DSAR offering more generally, please contact one of the team below.

Authors