Legal Pitfalls in DSAR Compliance and How to Avoid Them
Data Subject Access Requests (DSARs) have become a central pillar in the protection of individual privacy rights under regulations like the General Data Protection Regulation (GDPR) in Europe and the Data Protection Act 2018 in the UK. These requests allow individuals, referred to as “data subjects,” to ask organisations for access to the personal data they hold, including how and why it is being processed. While DSARs are integral to upholding transparency and accountability in data processing, they also present various legal challenges and pitfalls for organisations. Non-compliance or mishandling a DSAR can lead to severe penalties and reputational damage.
This article explores the legal complexities surrounding DSARs, common pitfalls encountered by organisations, and best practices to avoid these challenges.
Understanding DSARs: The Legal Framework
GDPR and Data Subject Rights
The right to access personal data is enshrined in Article 15 of the GDPR. This right allows data subjects to obtain confirmation from an organisation as to whether their personal data is being processed. If so, the data subject can access:
- The purposes of the data processing
- The categories of personal data processed
- The recipients or categories of recipients of their personal data
- The data retention period or criteria for determining it
- Information about their rights (rectification, erasure, restriction, objection)
- Any available information about the source of the data (if not collected from the data subject)
- Whether their data is subject to automated decision-making, including profiling
The GDPR mandates that organisations respond to DSARs without undue delay and, at the latest, within one month of receiving the request. In some cases, this period may be extended by a further two months, but the organisation must inform the requester within the first month if such an extension is needed.
UK Data Protection Act 2018 (DPA)
The UK’s DPA 2018 complements the GDPR, particularly following the Brexit transition. It reiterates similar provisions for DSARs but also introduces specific national derogations. Notably, public authorities and organisations in certain sectors may benefit from exemptions or have slightly different obligations under this act.
However, the overarching principle remains the same: organisations must ensure that individuals can exercise their right of access to personal data in a transparent and timely manner.
Legal Pitfalls in DSAR Compliance
While DSARs seem straightforward in principle, they can become complex to manage, especially for organisations processing large volumes of data. Let’s explore the key legal pitfalls in DSAR compliance.
Failure to Meet the Deadline
One of the most common legal pitfalls is failing to respond within the required timeframe. GDPR stipulates a maximum of one month to respond to DSARs, with the possibility of an extension of two months for particularly complex requests.
Challenges:
- Data volume: Many organisations hold vast amounts of data in various formats, making it challenging to locate and extract all relevant information within a month.
- Internal processes: Organisations often lack well-defined processes for handling DSARs, resulting in delays. A request might need to pass through multiple departments, which can slow down the response time.
- Third-party involvement: Data may reside with third-party processors, requiring coordination to obtain the necessary information.
How to Avoid It:
- Create a DSAR response policy: Establish clear internal procedures to ensure DSARs are handled efficiently. Define roles and responsibilities, including who is responsible for collecting the data, reviewing it, and ensuring the response is sent on time.
- Implement automation tools: Investing in automated data discovery tools can help locate and extract data faster.
- Communication: If an extension is necessary due to the complexity of the request, inform the data subject promptly, outlining the reasons for the delay.
Excessive Redactions or Over-Disclosure
When responding to a DSAR, organisations are required to provide the personal data of the requester. However, they must ensure that they do not inadvertently disclose information about third parties or expose confidential business information. Excessive redaction of data can frustrate the data subject, while over-disclosure can result in a data breach.
Challenges:
- Identifying third-party data: Extracting personal data from mixed datasets can be challenging, especially when personal data of third parties is intermingled with that of the requester.
- Business secrets: Organisations must also be cautious not to reveal commercially sensitive information, such as intellectual property or trade secrets.
How to Avoid It:
- Invest in redaction software: Automated redaction tools can assist in removing personal data related to third parties and ensuring compliance with confidentiality obligations.
- Careful review: Data should undergo a thorough review by the legal or data protection teams before being released to ensure that no unnecessary disclosures are made.
- Balancing transparency and confidentiality: Be transparent with the data subject about any necessary redactions while ensuring that these are proportionate and justified.
Failure to Verify Identity
Organisations must ensure that the individual making the request is indeed the data subject before releasing any personal information. Failure to verify identity adequately can lead to unauthorised disclosure, which would constitute a breach of data protection laws.
Challenges:
- Remote verification: In the digital age, most DSARs are submitted electronically, making it difficult to verify the requester’s identity without face-to-face interaction.
- Balancing simplicity with security: While it’s important not to make the verification process overly cumbersome, it must be robust enough to prevent fraud.
How to Avoid It:
- Standardise identity verification: Develop clear guidelines for verifying the identity of the requester. This could include requesting government-issued ID, utility bills, or using multi-factor authentication methods for online submissions.
- Risk-based approach: For high-risk data, such as financial information or sensitive health records, implement stricter verification processes. For lower-risk data, simpler methods might suffice.
Improper Data Handling and Security During Processing
When fulfilling DSARs, organisations often collect, process, and transmit large quantities of personal data. Mishandling this data at any stage could result in unauthorised access, corruption, or loss, leading to a data breach.
Challenges:
- Data in transit: Transmitting data between departments, especially by insecure means (such as unencrypted emails), could expose personal data to unauthorised individuals.
- Data storage: Collected data may be stored insecurely during the DSAR process, making it vulnerable to theft or loss.
How to Avoid It:
- Secure transmission methods: Use encrypted communication channels when transmitting personal data, especially if sensitive data is involved.
- Temporary storage protocols: Implement secure protocols for the temporary storage of personal data while processing the DSAR. Ensure that data is promptly deleted after the request is fulfilled.
- Data minimisation: Only collect and process the personal data necessary to respond to the DSAR, limiting the risk of exposure.
Inadequate Training and Awareness
Another common pitfall is insufficient training of staff on how to handle DSARs. Employees may not fully understand the organisation’s legal obligations or the processes involved in responding to such requests, leading to errors and delays.
Challenges:
- Decentralised data: In large organisations, data is often stored in various departments or systems, and employees may not know where relevant information is located.
- Changing regulations: The legal landscape surrounding data protection is constantly evolving, making it difficult for employees to stay up-to-date with the latest requirements.
How to Avoid It:
- Regular training sessions: Ensure that all employees, especially those in data-heavy roles, receive regular training on DSARs and the organisation’s data protection obligations.
- Specialist teams: Consider setting up a dedicated DSAR response team or appointing data protection officers (DPOs) who are well-versed in GDPR requirements and DSAR management.
- Policy updates: Regularly update internal policies and procedures to reflect changes in the legal landscape and provide refresher training when necessary.
Refusing a DSAR Without Proper Grounds
Under the GDPR, organisations can refuse to respond to a DSAR in certain limited circumstances. These include instances where the request is “manifestly unfounded or excessive.” However, organisations must be cautious when refusing a DSAR, as unjustified refusals can lead to regulatory action and penalties.
Challenges:
- Unclear grounds for refusal: Determining whether a request is manifestly unfounded or excessive can be subjective, leading to the potential for errors.
- Repetitive requests: Some data subjects submit multiple DSARs in a short period, but organisations must ensure they have valid reasons for refusing repeat requests.
How to Avoid It:
- Document refusals carefully: If a DSAR is refused, ensure that the grounds for refusal are clearly documented and justified. Provide the data subject with a clear explanation of the reasons for the refusal and inform them of their right to complain to a supervisory authority.
- Manage expectations: Proactively manage the data subject’s expectations by providing clear information on what data can and cannot be provided, especially if the request involves excessive or disproportionate efforts.
Data Erasure Requests Conflicting with DSARs
Data subjects also have the right to request the erasure of their personal data under certain circumstances (the “right to be forgotten”). Organisations may find themselves in a situation where they receive both a DSAR and a request for data erasure, creating a potential conflict.
Challenges:
- Retention obligations: Organisations are often required by law to retain certain types of data, such as financial records or employee data, for specific periods. Balancing these legal obligations with a data subject’s request for access or erasure can be tricky.
- Conflicting rights: Data subjects may not fully understand the limitations of their rights, leading to conflicting requests.
How to Avoid It:
- Clear communication: Explain the organisation’s legal obligations to retain certain data and how these obligations impact the data subject’s rights.
- Retention schedules: Maintain up-to-date data retention schedules, ensuring that data is only retained for as long as legally required or necessary for business purposes.
- Collaborate with legal counsel: Work closely with legal experts to balance data retention laws with data subject rights, ensuring compliance on all fronts.
Consequences of Non-Compliance
Failure to comply with DSAR obligations can have serious consequences. Organisations risk hefty fines, which under GDPR can reach up to €20 million or 4% of global annual turnover, whichever is higher. Beyond financial penalties, non-compliance can damage an organisation’s reputation, eroding customer trust and leading to loss of business.
Conclusion: Best Practices for DSAR Compliance
To avoid the pitfalls associated with DSAR compliance, organisations should take a proactive and structured approach. Here are some key best practices:
- Develop a clear DSAR policy: Ensure your organisation has a robust policy outlining how DSARs should be handled from receipt to response.
- Use technology to your advantage: Implement automated tools for data discovery, redaction, and processing to speed up DSAR responses.
- Invest in staff training: Regularly train employees on GDPR and data protection best practices to reduce the risk of human error.
- Keep data protection at the forefront: Treat DSARs as part of a broader data protection strategy. Ensure you have a solid data governance framework in place to manage personal data responsibly.
- Consult legal experts: For complex or high-risk cases, consult legal counsel to ensure compliance with all regulatory obligations.
By implementing these strategies, organisations can navigate the legal pitfalls of DSAR compliance, minimising risk while upholding data subject rights in line with GDPR and DPA requirements.