Clarkslegal Law Bites

The seriousness of non-compliance with DSARs

November 04, 2022 Clarkslegal
Clarkslegal Law Bites
The seriousness of non-compliance with DSARs
Show Notes Transcript

In this podcast Melanie Pimenta and Sana Nahas members of the Data Protection team at Clarkslegal discuss some of the issues surrounding non-compliance with subject access requests, commonly known as “DSARs”. This is particularly topical given that the ICO has recently announced that it has issued reprimands to seven organisations for repeatedly failing to respond to data subject access requests under the UK GDPR. 

Melanie Pimenta 0:03
Hi, I’m Melanie and I’m joined by my colleague Sana. We’re members of the Data Protection team at Clarkslegal. Today we are going to discuss some of the issues surrounding non-compliance with subject access requests, commonly known as “DSARs”. This is particularly topical given that the ICO has recently announced that it has issued reprimands to seven organisations for repeatedly failing to respond to data subject access requests under the UK GDPR. 

Sana Nahas 0:34
To recap, under the UK GDPR, individuals have certain rights in respect of their personal data and can submit a DSAR to enable them to access their data. Such requests are to be taken seriously, and organisations must not delay responding to them. Organisations have one month to respond to a DSAR, but time taken to clarify a request will be taken into account. If the request is complex, or if the number of requests is very high, the time limit may be extended by a further 2 months, meaning an organisation could have up to 3 months to respond.

Melanie Pimenta 1:07
Yes, organisations that hold data on individuals are under an obligation to make that data accessible to those individuals, and face penalties if they fail to do this.

Sana Nahas 1:19
DSARs have been around for a while, but we’ve actually seen the ICO take serious action very recently haven’t we?

Melanie Pimenta 1:25
Yes, the ICO (the UK’s supervisory authority), took regulatory action against various organisations recently for failing to respond to data subject access requests.

Under the UK GDPR, the ICO has the power to serve formal reprimands as well as fines and other enforcement notices when a controller or processor contravenes the law. Such reprimands have not always been made public, but they sometimes are along with fines that are issued. This brings us to what we’ve seen announced by the ICO recently, with it taking action against 7 organisations. These organisations repeatedly failed to respond to DSARs in accordance with their legal obligations. Can you tell us Sana a bit more about what happened?

Sana Nahas 2:20
Thanks Mel. Well the ICO issued reprimands to these seven organisations after there were complaints in relation to multiple failures to respond to DSARs for copies of personal information collected and processed by these organisations. The organisations failed to respond within the legal timeframes, or did not respond all. These organisations received hundreds, and in some cases thousands, of DSARs. The ICO sends a strong message in promoting good practice and “naming and shaming” those who are non-compliant with data protection laws.

The consequence of these reprimands are that these organisations now have between 3 and 6 months to make improvements. Otherwise, further enforcement action could be taken against them.

In addition, Mr Andrew Laing, Head of Data Protection Complaints at the ICO, published a blog on DSARs, commenting that “the right of access is a fundamental one and it is essential that when requests are made they are responded to correctly”.

Melanie Pimenta 3:18
Yes and the ICO found that there are 4 common issues organisations were having with responding to DSARs,these were delay, relationship breakdown, trust and understanding. So let’s consider these in more detail.

Sana Nahas 3:34
Yes - in terms of delay, organisations were sometimes receiving complex requests, where organisations have the ability to extend the time limit to respond to DSARs from one month to 3 months because of exceptional circumstances. If a request is taking longer than expected to deal with, the individual making the request needs to be informed of this promptly and within the initial one-month period of the required response, the individual should also be provided with the reasons for delay.

Melanie Pimenta 4:03
The lack of communication and transparency in regards to the process, is what leads to relationship breakdown. If there is no one to contact, or questions are not being answered, or the responses being provided are incomplete or unsatisfactory, this ultimately leads to the relationship between the individual and the organisation breaking down and causing the individual to escalate the matter. If the request is broad or complex, organisations can ask individuals to provide search terms to assist with locating with the personal data, however organisations should not be seeking to limit the scope of an individual’s DSAR in this way.

Sana Nahas 4:46
Trust and understanding go together. Complaints are often the result of not understanding how an individual’s data is being used and not trusting what they are being told. It’s important for organisations to have data protection or DSAR policies and privacy notices in place so that potential data subjects can consult those policies and find out how their data will be handled. It’s important for organisations to be transparent about their processes and make this clear to individuals so that they can understand them.

The recent reprimands highlighted the lack of trust and confidence which was exacerbated by the sensitive nature of some of the requests. Individuals complained about not being given an answer as to the whereabouts of private documents, such as adoption papers. Data handlers need to be careful to store the data they have correctly and in accordance with their data retention procedures. What would you recommend organisations do to prevent these issues from occurring?

Melanie Pimenta 5:41
Well the starting point is for organisations to know what data they have, where it is stored, and its purpose. This can be done by organisations undertaking an audit. Establishing who owns the data and is therefore, the controller, will also be important so the controller can determine, for example, how long an organisation can retain the data and what it should do if it no longer needs it.

Secondly, there needs to be a focus on staff awareness and a culture embedded in organisations in relation to handling personal data, complying with data protections laws and responding to DSARs. Organisations should also ensure there are adequate safeguards in place, particularly in respect of special category data. A good practice to develop in an organisation would be to diarise the date of when a DSAR is received (as well as the ID documents required) to work out when the time limit will end and the date for response. So the earlier the DSAR is considered, the better this is to understand its complexity and whether it is likely that the response date will need to be extended. It also means that you can ensure early communication with the data subject to request additional information from the data subject, such as search terms to locate personal data, or explain if the time limit to respond will need to be extended.

Sana Nahas 7:12
Another step organisations can take to ensure a smooth and effective process for dealing with DSARs is to produce standard forms for individuals to complete and submit, the forms would include all the details the organisation could need to locate the information. It’s important to note that organisations will still have to comply with a DSAR even if it is not made in such a form, but  having a form available increases the chances of someone supplying all the information you need promptly.  When staff receive requests by telephone or in person, it is good practice to record details of them in writing and pass on to the appropriate department to manage. A good point to emphasise here, I think, is that an DSAR request can be made in any form, it can even be made on social media. It also doesn’t have to include the phrase ‘subject access request’. So, recognising the DSAR is important.

Melanie Pimenta 8:06
Yes completely agree. So our key takeaways from the ICO’s recent announcement in relation to reprimands, is for data handlers to be vigilant and ensure they are complying with the UK’s data protection laws. 

The reprimands issued recently should be taken as a warning to all data handlers. The ICO’s enforcement powers are extensive and the recent reprimands show the significant consequences for organisations if they repeatedly fail to comply with DSARs and other data protection obligations. 

Sana Nahas 8:40
Separately, although the UK has indicated recently that it has plans to potentially remove the UK GDPR, the law as it currently stands, confirms that it is mandatory to respond to DSARs and it is highly unlikely that any change in UK law would result in the removal of the right to access personal data.

If your organisation needs support with anything we have mentioned here today, particularly in relation to conducting audits or assisting with implementing processes for dealing with DSARs, you can contact our data protection team via email at contact@clarkslegal.com or find us via our website Clarkslegal.com.

Melanie Pimenta 9:20
Thank you for listening to this podcast!