Most businesses should be aware that EU data protection law is changing as a result of the General Data Protection Regulation (GDPR), which comes into force in the UK (and across the EU) on 25 May 2018. Contributors Patrick Wheeler & Mette Marie Sutton – Collyer Bristow LLP.

GDPR builds on the previous Data Protection Regulation by giving individuals greater power to access and exercise control over their personal data, one example of this are the new rules regarding data subject access requests (DSARs). However, there is concern that the changes to DSARs could encourage individuals to use them as a weapon against businesses processing their personal data. So what exactly is the threat and how can a business manage the associated risks?

GDPR establishes sets of obligations and rights. The obligations include processing personal data lawfully, fairly and in a transparent manner and providing information about how the individual’s data will be used. The GDPR also entitles individuals to receive confirmation that their personal data is being processed and obtain access to that data, along with certain supplementary information. The right is exercised by sending a DSAR to the business processing the data.

There are many reasons why an individual might want to know what personal data a particular organisation holds about them. Some of these, however, can have serious consequences for the business in question. For example, DSARs are already being used in the context of employment disputes as a tactical way of obtaining early disclosure of information before issuing legal proceedings. Under current data protection law, businesses can charge a £10 fee for responding to a DSAR. However, under GDPR, a copy of the information will need to be provided free of charge, with limited exceptions.

While a £10 fee would be unlikely to deter a disgruntled employee from seeking information relevant to a potential claim, research has suggested that around 25% of DSARs are not pursued when a request for payment of a fee is made. Therefore, where the fee may previously have deterred individuals/groups of individuals from ‘fishing expeditions’ or to cause disruption to businesses because they disagree with their ethics or policies, the deterrent will have gone. Indeed, the Ministry of Justice has predicted that the number of DSARs made each year will rise by between 25 – 40%.

The GDPR states that information will need to be provided without delay and at the latest within one month of receipt of the DSAR. That is a far shorter response period that the current 40 days. The new timescale can be extended by a further two months but the business must notify the individual and provide reasons for the delay. Ultimately, a delayed or inadequate response to a DSAR could result in a complaint to the ICO which, if upheld, could be punishable by a fine.

Where a business processes large quantities of information about an individual, the GDPR permits the respondent to seek to narrow the scope of the request, by asking the individual to further specify the information being sought. However, there is no exemption simply because a request relates to large amounts of data, unless it can be shown that the request is manifestly unfounded or excessive. Furthermore, in order to rely on that exemption, a business will have to explain to the individual (and potentially the ICO) why it believes it is entitled to do so and provide evidence showing how that conclusion was reached.

Not all information connected with an individual will be personal data, so not everything needs to be disclosed. However, there is a considerable burden on those dealing with data protection matters to review all information which could be caught by the DSAR and then work out exactly what needs to be provided, within the strict timeframe. In each case, the business must also consider how to verify the identity of the individual making the DSAR to ensure that they are not themselves committing a data breach by disclosing personal data to the wrong person. And if this sounds like a high burden for a single DSAR, it is easy to see how a co-ordinated set of requests by a large number of individuals made at the same time could be time consuming, expensive and cause huge disruption.

What can be done to minimise the disruption? First, businesses should ensure that their privacy policies and notices give full details in a transparent manner of the purposes for which personal data is collected, used and retained. The clearer this communication is, the less likely that a data subject may have cause for complaint.

Second, a detailed and robust procedure is needed for recognising and responding to DSARs, as well as efficient systems to search and identify relevant personal data.

Finally, businesses should seek to clarify the reasons underpinning a wide ranging DSAR, and see if the scope can be narrowed to the data that is of greatest concern to the individual. A form can be provided for an individual to submit a DSAR, which frames the request in a way which makes it easier for the business to respond. The individual does not have to use it, but most people are likely to.

In practice, even these three steps may not be enough to ward off a concerted attack by a large group of data subjects bent on disruption, and for that the business is likely either to need extra resource or outside assistance. However, taking no steps in preparation will leave a business seriously exposed.