<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Get started

    data subject access requests

    Under GDPR, Article 12 (5), a response to a Data Subject Access Request (DSAR) must now be provided free of charge, unless the request is deemed to be manifestly unfounded, excessive or repetitive in character, whereby the Data Controller can either levy a reasonable fee taking into account the administrative burden associated to providing a response or refuse to act upon the request.

    However, with either option the burden of proof relating to the manifestly unfounded, excessive or repetitive nature of the request lies firmly with the data controller, and when choosing not to reply to a request, the Data Controller must, within one month advise the data subject why, and give them rights of referral to lodge a complaint or refer the matter to the supervising authority.

    So what does the removal of the DSAR fee mean exactly?

    Let’s unpack this a little further. Firstly, let’s examine the removal of the fee. In my experience, any Data controller who previously charged a fee for responding to a DSAR, charged anything from £10 to £25 per response. Assuming that a Data Protection Officer (or similar) would be responsible for co-ordinating the response, and collating the data supplied from one or more sources in the business, it is a fair and reasonable assumption to make, that a minimum of two people would be involved in a DSAR response, and that at least one hour would be spent in doing so, resulting in a DSAR “earning” the Data Controller a maximum of £12.50 per hour, hardly enough to cover the costs associated to providing the response. So clearly, the fee was always intended to be nominal, and to act as a deterrent to those would seek to frustrate or hinder the usual business operations of a firm, by making vexatious requests.

    However, in reality, such a person would not pay a fee if asked, and would continue to make DSARs, or make contact with the firm in other ways, letter writing, emails and calls to a call centre for example, all aimed at wasting the time and money of the firm – an approach often taken by disgruntled customers, who have, in their mind, had their time and money wasted by the firm. So even with GDPR providing a Data Controller with the right to levy a fee in such circumstances, it is unlikely to bring an effective resolution to the problem of the harassing, and pestering activities of someone who is determined to cause disruption.

    A small and reasonable fee applied to multiple or excessive requests made by a legitimate enquirer on the other hand, are likely to paid, although as we have seen above, such a small fee does not run close to covering the time spent responding to a DSAR, even if it is made in a legitimate manner.

    Refusing to respond at all however, may well be a more effective route economically for the Data Controller, although issuing a response citing this course of action will, as Article 12 requires, necessitate the Data Controller detailing why it is not responding and why it considers the request to be manifestly unfounded.

    To be manifestly unfounded, will, in the eyes of the Data Controller be a fair and clear presentation of a situation. However, it may, on the other hand, be a manifestly legitimate request in the eyes of the requester, so such a statement would, to a large degree be subjective and therefore debateable by both sides, resulting in further commentary and/or communication between the parties, each proffering its view to the other, until such times as either the requesting party concedes, or complains to the supervisory authority, but now armed with what they will detail as the Data Controller’s unwillingness to act reasonably despite them being able to present tombs of correspondence on the matter with them.

    The conclusion therefore, the removal of the fee itself does very little to aid either the Data Subject or the Data Controller when it comes to responding to a DSAR.

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment


    Free Trial: Compliance Essentials

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    Meet Skillcast at Learning Live 2019

    About Learning Live 2019 Learning Live brings together over 500 learning leaders for two days of facilitated group activities and networking tackling the challenges of workplace learning. Uniquely, ...

    Read More
    Success Stories: Royal Mail Serious Games

    Royal Mail, the pre-eminent delivery company in the UK were looking to further embed compliance within their business. Skillcast Serious Games was their ideal solution. Solution An online compliance ...

    Read More
    17 FAQs Answered About SMCR for Solo-Regulated Firms

    The extension of the SM&CR to FCA solo-regulated firms will impact over 50,000 financial firms. But how will the extension of the Senior Managers and Certification Regime (SM&CR) to FCA ...

    Read More
    FCA Compliance News – July 2019

    Our pick of the biggest compliance news in Financial Services this month: This month's roundup includes fines for BOS, HSBC historical debt collection, UBS insider dealing, rocketing FCA penalties ...

    Read More