ARTICLE
26 July 2024

Subject Access Requests - The Cost To Your Business

DS
DMH Stallard

Contributor

DMH Stallard logo

DMH Stallard is an award winning South East law firm with offices in London, Brighton, Gatwick, Guilford, Hassocks and Horsham. DMH Stallard has grown rapidly since it was established in 1970, and continues to maintain its focus on building long term relationships with clients to help deliver their goals and objectives.

Explore
Individuals have a right to request access and receive a copy of their data held by an organisation. Where an individual requests to access this data, or to find out how or why it is used...
UK Privacy
Photo of Georgie Swift
Photo of Rebecca Leeves
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

What is a subject access request?

Individuals have a right to request access and receive a copy of their data held by an organisation. Where an individual requests to access this data, or to find out how or why it is used, this is referred to as a subject access request ("SAR"), or a data subject access request.

SARs are relevant to any individual or organisation that processes personal data. As they are generally free and can be made easily without reason, individuals can submit requests in moments, yet responding to SARs is not so easy, and can take considerable time, effort and resource for businesses.

Why are SARs becoming more common?

The right for individuals to access their personal data held by organisations is not new and was first introduced by the Data Protection Act 1984. However, in recent years they seem to have become more prevalent, and a survey conducted by EY Law Professionals found that 60% of respondents had seen an increase in SARs in 2022, and this is expected to continue. A number of factors appear to have driven the increased demand:

  • Ease – The General Data Protection Regulation ("GDPR"), introduced in 2018, has made it even easier for individuals to submit requests and access their data.
  • Awareness – There have been several recent high-profile requests made by public figures, and this has increased public awareness and understanding.
  • Additional benefits – There has also been an increase in requests stemming from employment disputes, with employees seeking to access early disclosure of documents or leverage in settlement discussions.

The above factors, combined with an ever data reliant and data conscious society, have resulted in a huge increase in SARs.

Why should you consider outsourcing SARs?

Not only have SARs become increasingly common, but the level of data processed and retained by organisations has also increased, which has resulted in SARs becoming far more complicated for organisations to process and manage. Organisations typically have to retrieve data from various platforms and databases, and with new forms of technology appearing in the form of artificial intelligence, this will only increase.

Most organisations do not possess dedicated SAR resources, meaning that staff are removed from their usual roles, at the expense of the daily duties and requirements of the organisation. Since complex SARs take a considerable time to process, the result is a high internal cost to the business. Some organisations have also found an increase in 'bulk' requests, which can make outsourcing integral to managing their legal obligation whilst also ensuring business continuity.

This is coupled with the requirement to respond within one month of receiving the request. Whilst extensions are possible to the one-month turnaround time, these must be justifiable, and the result is a labour intensive effort to meet the deadline.

As noted above, employee-related requests are increasingly common and make up approximately a third of requests (EY Law Survey 2022). Given the complexity of different employees' personal data, coupled with important considerations regarding the applicability of exemptions, employee related requests are even more complicated. This is particularly the case if the context of the request is an employment dispute. Obtaining the correct advice and support in these instances is integral.

Why should you take SARs seriously?

The potential outcomes for failing to respond to a SAR properly include complaints made to the Information Commissioners Office, who may issue an fines or enforcement notice requiring certain action to be taken. Not only do such notices have a reputational risk associated with them, but individuals can also request that they receive compensation for failing to comply with the legislation. Whilst the level of damages awarded by the courts is relatively low, the costs associated with dealing with such a claim (particularly if there are many of them) may become very costly.

How can DMH Stallard help?

SARs will only become more frequent and more of a burden on organisations, regardless of how compliant your organisation is, and so ensuring you are prepared and have the appropriate resource is key.

At DMH Stallard, our commercial and employment team are experienced in providing expert advice and can review and assist with all aspects of your SARs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Georgie Swift
Georgie Swift
Photo of Rebecca Leeves
Rebecca Leeves
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More