Under GDPR, the way that data subject access requests should be dealt with has changed. But how can you manage them effectively while remaining compliant?
What are data access subject request fees?
Individuals (data subjects) have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a data subject access request or 'DSAR'.
Under GDPR, fees can only be charged for data access if the subject's request is repetitive, excessive or unfounded. But the burden of proof rests with the data controller.
Clearly, DSAR fees are intended to be nominal and act as a deterrent to those would seek to frustrate or hinder the usual business operations of a firm, by making vexatious requests.
GDPR, Article 12 (5) states that the response to a DSAR must be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character, whereby the Data Controller can either levy a reasonable fee taking into account the administrative burden associated to with a response or refuse to act on the request.
However, with either option the burden of proof relating to the manifestly unfounded, excessive or repetitive nature of the request lies firmly with the data controller, and when choosing not to reply to a request, the Data Controller must, within one month advise the data subject why, and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.
Multiple & excessive DSAR requests
Assuming that the Data Protection Officer (or similar) is responsible for co-ordinating the response, and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption to make, that a minimum of two people would be involved in a DSAR response. At least one hour would be spent dealing with the request do, resulting in a DSAR “earning” the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated to providing the response.
However, a small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer on the other hand, would likely be paid. Although such a small fee does not run close to covering the time spent responding to a DSAR, it will to some extent deter multiple requests.
Manifestly unfounded data subject access requests
When requests are vexatious, the requestor would likely not pay a fee if asked. However, they may continue to make DSARs, write letters, send emails or call with the aim of wasting the time and money of the firm. This approach is often taken by disgruntled customers, who have, in their mind, had their own time and money wasted by the firm.
Even with GDPR providing a Data Controller with the right to levy a fee in such circumstances, it is unlikely to bring an effective resolution to the problem of the harassing, and pestering activities of someone who is determined to cause disruption.
However, refusing to respond to such requests as they appear manifestly unfounded may be a more economical route for the Data Controller. Although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why they are not responding and why they consider the request to be manifestly unfounded.
It is likely that the subject will still consider their request to be legitimate. As the situation is subjective further commentary and/or communication between the parties may be needed, until such time as either the requesting party concedes, or complains to the supervisory authority. Hence, doing little to reduce the impact of such vexatious requests.
ICO DSAR Checklists
The ICO has created two useful checklists to help you prepare for, and deal with DSARs.
Preparing for subject access requests
- Know how to recognise a subject access request and understand when the right of access applies.
- Have a policy for how to record requests you receive verbally.
- Understand what steps you need to take to verify the identity of the requester, if necessary.
- Understand when you can pause the time limit for responding if we need to ask for clarification.
- Understand when you can refuse a request and are aware of the information you need to provide to individuals when you do so.
- Understand the nature of the supplementary information you need to provide in response to a subject access request.
- Have suitable information management systems in place to allow you to locate and retrieve information efficiently.
Complying with subject access requests
- Have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.
- Understand how to perform a reasonable search for the information.
- Understand what you need to consider if a third party makes a request on behalf of an individual.
- Be aware of the circumstances in which you can extend the time limit to respond to a request.
- Understand how to assess whether a child is mature enough to understand their rights.
- Understand that there is a particular emphasis on using clear and plain language if you are disclosing information to a child.
- Understand what you need to consider if a request includes information about others.
- Be able to deliver the information securely to an individual, and in the correct format.
Want to learn more about GDPR?
We have 50+ free compliance training aids plus you can keep up to date with news and best practices through our GDPR blogs. Or, if you're looking for a compliance training solution, why not visit our GDPR Course Library.
If you've any further questions or concerns about GDPR Compliance, please get in touch.
We are happy to help!