Under GDPR, the way that data subject access requests should be dealt with has changed. But how can you manage them effectively while remaining compliant?
What are data access subject request fees?
Individuals (data subjects) have the right to access and receive a copy of their personal data and other supplementary information. This is commonly referred to as a data subject access request or 'DSAR'.
Under GDPR, companies can only charge fees for data access if the subject's request is repetitive, excessive or unfounded. But the burden of proof rests with the data controller.
Clearly, DSAR fees are intended to be nominal and act as a deterrent to those who would seek to frustrate or hinder the usual business operations by making vexatious requests.
GDPR, Article 12 (5) states that the response to a DSAR must be provided free of charge unless the request is deemed to be manifestly unfounded, excessive or repetitive in character, whereby the Data Controller can either levy a reasonable fee taking into account the administrative burden associated to with a response or refuse to act on the request.
However, with either option, the burden of proof relating to the manifestly unfounded, excessive or repetitive nature of the request lies firmly with the data controller. When choosing not to reply to a request, the Data Controller must, within one month, advise the data subject why and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.
Multiple & excessive DSAR requests
Assuming that the Data Protection Officer (or similar) is responsible for coordinating the response and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption that a minimum of two people would be involved in a DSAR response.
Staff would spend at least one hour dealing with the request. That would result in a DSAR "earning" the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated with responding.
However, a small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer, on the other hand, would likely be paid. Although such a small fee does not run close to covering the time spent responding to a DSAR, it will to some extent, deter multiple requests.
Manifestly unfounded data subject access requests
When requests are vexatious, the requestor would likely not pay a fee if asked. However, they may continue to make DSARs, write letters, send emails or call to waste the firm's time and money. This approach is often taken by disgruntled customers, who have, in their mind, had their own time and money wasted by the firm.
Even with GDPR providing a Data Controller with the right to levy a fee in such circumstances. Charging a fee is unlikely to bring an effective resolution to the harassing and pestering activities of someone determined to cause disruption.
However, refusing to respond to such requests as they appear manifestly unfounded may be a more economical route for the Data Controller. Although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why they are not responding and why they consider the request manifestly unfounded.
Likely, the subject will still consider their request to be legitimate. As the situation is subjective, further commentary and/or communication between the parties may be needed until either the requesting party concedes or complains to the supervisory authority. Hence, doing little to reduce the impact of such vexatious requests.
ICO DSAR Checklists
The ICO has created two useful checklists to help you prepare for and deal with DSARs.
Preparing for subject access requests
- Know how to recognise a subject access request and understand when the right of access applies.
- Have a policy for how to record requests you receive verbally.
- Understand what steps you need to take to verify the identity of the requester, if necessary.
- Understand when you can pause the time limit for responding if we need to ask for clarification.
- Understand when you can refuse a request and know the information you need to provide to individuals when you do so.
- Understand the nature of the supplementary information you need to provide in response to a subject access request.
- Have suitable information management systems in place to allow you to locate and retrieve information efficiently.
Complying with subject access requests
- Have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.
- Understand how to perform a reasonable search for the information.
- Understand what you need to consider if a third party requests on behalf of an individual.
- Be aware of the circumstances in which you can extend the time limit to respond to a request.
- Understand how to assess whether a child is mature enough to understand their rights.
- Understand that there is a particular emphasis on using clear and plain language if you disclose information to a child.
- Understand what you need to consider if a request includes information about others.
- Be able to deliver the information securely to an individual and in the correct format.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!