Companies hold the personal information of individuals which these individuals have the right to access. Refusing to provide the information is only acceptable if an exemption or restriction applies. Or, in the case where the request is manifestly unfounded or excessive.
What is a data subject access request?
Individuals (data subjects) have the right to access and receive a copy of their personal data and other supplementary information. This is commonly referred to as a data subject access request or 'DSAR'.
How long do you have to respond to a DSAR?
In general, companies have to respond to a DSAR without undue delay. The latest you can respond to a request is a month from the time that you received the request. Failure to respond to a request at all after 40 days will result in regulatory action and fines.
There is the option to extend the time limit by a further two months when the request is complex or if you have received multiple requests from the same individual.
What are DSAR response failure consequences?
It is a compliance requirement to respond to DSARs within a specific timeframe. Failure to adhere to this legal obligation could result in regulatory investigation and action. The ICO will issue reprimands and fines for these failures.
A reprimand is a written notice that details key compliance issues that the ICO has found and sets out the provisions of the legislation that have been breached. It also makes some recommendations on how the company can improve its compliance.
Fine amounts can be up to £17.5 million or 4% of the company's total annual worldwide turnover in the preceding financial year. Whichever of the two is higher.
Furthermore, individuals who have not had their DSARs handled correctly and have experienced distress could seek financial compensation. These consequences not only impact a firm financially but also damage its reputation.
Recent regulatory action by the ICO
The organisations listed below collected and processed personal data and then failed, on multiple occasions, to respond to DSARs either within the legal timeframe or at all. The ICO has taken regulatory action by issuing a reprimand against the following organisations:
- Ministry of Defense (MoD):
Despite having a recovery plan in place, the ICO identified a DSAR backlog that dated back to March 2020 and continued to grow, with about 9k in DSARs awaiting responses.
- Virgin Media:
The ICO found Virgin Media failed to respond to 19% of 9.5k DSAR over six months in 2021.
- Home Office:
The Home Office failed to respond to nearly 21k DSARs within the legal timeframe in 2021. As of July 2022, this number is now down to just over 3k outside the legal timeframe.
- London borough of Croydon:
Croyden Council failed to respond to more than half of DSARs in the legal timeframe from April 2020 to April 2021. In numbers, this means that 115 residents didn't get a response.
- Kent Police:
Within five months from October 2020, Kent Police received more than 200 DSARs, with 60% completed in the legal timeframe. With regards to the remaining DSARs, some of them reportedly took over 18 months to complete. As of May 2022, there are still 200 DSARs that are waiting for a response.
- London borough of Hackney:
The Hackney Council failed to respond to more than 60% of DSARs within the legal timeframe from April 2020 to February 2021. The oldest outdated DSAR is 23 months.
- London borough of Lambeth:
The Lambeth council received over 800 DSARs for the year beginning August 2020. Only 53% of these DSARs were responded to within a month.
What are data subject access request fees?
It is important to note that in most cases, companies cannot charge a fee. Clearly, DSAR fees intend to be nominal and deter those seeking to frustrate or hinder the usual business operations by making vexatious requests.
Under GDPR, companies can only charge fees for data access if the subject's request is repetitive, excessive or unfounded. But the burden of proof rests with the data controller.
GDPR, Article 12 (5) states that the response to a DSAR must be provided free of charge. Except when the request is deemed to be manifestly unfounded, excessive or repetitive in character, the Data Controller can either levy a reasonable fee, taking into account the administrative burden associated with a response or refuse to act on the request.
However, with either option, the burden of proof relating to the request's manifestly unfounded, excessive or repetitive nature lies firmly with the data controller. When choosing not to reply to a request, the Data Controller must, within one month, advise the data subject why and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.
What are multiple & excessive DSARs?
Assuming that the Data Protection Officer (or similar) is responsible for coordinating the response and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption that a DSAR response would involve a minimum of two people.
Staff would spend at least one hour dealing with the request. That would result in a DSAR "earning" the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated with responding.
However, a small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer, on the other hand, would likely be paid. Although such a small fee does not cover the time spent responding to a DSAR, it will to some extent, deter multiple requests.
What are manifestly unfounded DSARs?
When requests are vexatious, the requestor would likely not pay a fee if asked. However, they may continue to make DSARs, write letters, send emails or call to waste the firm's time and money. This approach is often taken by disgruntled customers, who have, in their mind, had their own time and money wasted.
This is despite GDPR providing a Data Controller with the right to levy a fee in such circumstances. Charging a fee is unlikely to bring an effective resolution to the harassing and pestering activities of someone determined to cause disruption.
However, refusing to respond to such requests as they appear manifestly unfounded may be a more economical route for the Data Controller. Although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why they are not responding and why they consider the request manifestly unfounded.
Likely, the subject will still consider their request to be legitimate. As the situation is subjective, further commentary and/or communication between the parties may be needed until either the requesting party concedes or complains to the supervisory authority. Hence, doing little to reduce the impact of such vexatious requests.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.