<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Get started

    data subject access requests

    Under GDPR, Article 12 (5), a response to a Data Subject Access Request (DSAR) must now be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character, whereby the Data Controller can either levy a reasonable fee taking into account the administrative burden associated to providing a response or refuse to act upon the request.

    However, with either option the burden of proof relating to the manifestly unfounded, excessive or repetitive nature of the request lies firmly with the data controller, and when choosing not to reply to a request, the Data Controller must, within one month advise the data subject why, and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.

    So what does the removal of the DSAR fee mean exactly?

    Let’s unpack this a little further. Firstly, let’s examine the removal of the fee. In my experience, any Data controller who previously charged a fee for responding to a DSAR, charged anything from £10 to £25 per response. Assuming that a Data Protection Officer (or similar) would be responsible for co-ordinating the response, and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption to make, that a minimum of two people would be involved in a DSAR response, and that at least one hour would be spent in doing so, resulting in a DSAR “earning” the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated to providing the response. So clearly, the fee was always intended to be nominal, and to act as a deterrent to those would seek to frustrate or hinder the usual business operations of a firm, by making vexatious requests.

    However, in reality, such a person would not pay a fee if asked, and would continue to make DSARs, or make contact with the firm in other ways, letter writing, emails and calls to a call centre for example, all aimed at wasting the time and money of the firm – an approach often taken by disgruntled customers, who have, in their mind, had their time and money wasted by the firm. So even with GDPR providing a Data Controller with the right to levy a fee in such circumstances, it is unlikely to bring an effective resolution to the problem of the harassing, and pestering activities of someone who is determined to cause disruption.

    A small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer on the other hand, are likely to paid, although as we have seen above, such a small fee does not run close to covering the time spent responding to a DSAR, even if it is made in a legitimate manner.

    Refusing to respond at all however, may well be a more effective route economically for the Data Controller, although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why it is not responding and why it considers the request to be manifestly unfounded.

    To be manifestly unfounded, will, in the eyes of the Data Controller be a fair and clear presentation of a situation. However, it may, on the other hand, be a manifestly legitimate request in the eyes of the requester, so such a statement would, to a large degree be subjective and therefore debateable by both sides, resulting in further commentary and/or communication between the parties, each proffering its view to the other, until such times as either the requesting party concedes, or complains to the supervisory authority, but now armed with what they will detail as the Data Controller’s unwillingness to act reasonably despite them being able to present tombs of correspondence on the matter with them.

    The conclusion therefore, the removal of the fee itself does very little to aid either the Data Subject or the Data Controller when it comes to responding to a DSAR.

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    How to use storytelling in compliance training for maximum impact

    Stories help us to connect with people and the world around us. They have the power to  engage us in a way simple narratives just can't. And we remember stories. I'll bet you still remember your ...

    Read More
    5 ways to fire up a culture of compliance

    Any company's biggest risk to attaining and maintaining full compliance with laws and regulations is the conduct of its people - we call this the people dimension of compliance. And against this ...

    Read More
    6 traits of effective compliance officers

    Protecting the ethical integrity of a company is the heart of the compliance officer’s role. And as regulators continue to clamp down on misconduct with higher fines, compliance officers are under ...

    Read More
    New infographic reveals a lack of transparency about political engagements

    Nearly three quarters of companies are failing to disclose how they engage with politicians, according to a new report by Transparency International UK. The 2018 Corporate Political Engagement Index ...

    Read More