Buried among the weighty provisions of the General Data Protection Regulation (GDPR) are some changes to the data subject access request (Sar) regime under the existing Data Protection Act 1998. The changes could be costly, particularly for businesses that hold large amounts of personal data on individuals. Non-compliance can lead to regulatory enforcement, litigation and a whole host of reputational issues.
The government has announced that it will update existing data protection laws and bring the EU's impending GDPR into domestic law through a new Data Protection Bill.
The GDPR, which comes into force in May 2018, will introduce changes to the Sar regime that will make it easier – and free – for individuals to require an organisation to disclose personal data it holds on them.
Businesses might be forgiven for thinking that it is not the GDPR provision that should cause them most worry. Indeed, it might be difficult for some to see past the headline-grabbing fines (4 per cent of global turnover or £17m). Further, the Sar regime is not new, given that individuals can make Sars under existing law. However, businesses – particularly those that by their nature store a large amount of personal data – should not underestimate the impact the changes to the Sar regime might have on them going forward.
There are several reasons for this. Many organisations have already reported an increase in the number of Sars being made of them, This is likely to increase further with the abolition of the current £10 fee under the GDPR. In a government impact assessment, it estimated that abolishing the fee might result in an increase in the number of Sars of between 25 per cent to 40 per cent.
Under the GDPR, businesses will be required to respond to a Sar within a month rather than the current 40 days, placing an increased burden on already stretched resources.
Several recent court decisions have been data-subject friendly. Previously, if the Sar regime was being used for collateral purposes, for example by a litigation opponent, then it might have been possible to simply refuse to respond to the Sar. Now, it seems that is much more unlikely, so businesses can expect more Sars being made for tactical reasons, such as to gain an advantage in litigation or to obtain data that might then be used to initiate proceedings.
Key Points
- Changes to the data subject access request (Sar) regime could be costly.
- The volume of personal data held by some businesses makes compliance more difficult.
- Businesses should also prepare for an increase in litigation.
It might even be possible for a litigation opponent to obtain legally privileged documents by the Sar back door, if those proceedings are taking place in a foreign jurisdiction. A recent case – Dawson-Damer versus Taylor Wessing LLP – held that the privilege exemption only applies if privilege would be recognised in proceedings in the UK.
The current law also permits a business to refuse to supply the data if doing so would result in disproportionate effort, yet the courts appear to adopt a different view of proportionality to what most businesses might expect. For example, a court decision in Deer versus University of Oxford resulted in the university reviewing 500,000 documents at a cost of £116,000, which meant 33 new documents being provided to the data-subject.
The sheer volume of personal data held by some businesses makes compliance more difficult and time-consuming. The GDPR also brings in a new – in some respects wider – definition of what constitutes personal data.
The current definition – data that relates to a living individual who can be identified from those data or from those data and other information in the possession of the data controller, including expressions of opinion – has resulted in some ambiguity when it comes to the nature of certain data in today's online era, for example, unique identifiers such as IP addresses. The GDPR now puts beyond any doubt that IP addresses and mobile device IDs are all personal data that a data-subject can request details of.
Can businesses expect an avalanche of litigation and/or regulatory enforcement? The Information Commissioner's Office (ICO) issued nine enforcement notices in 2016 for failing to respond to a Sar without undue delay, which was more than in previous years.
That needs to be viewed in the context of the GDPR, which gives the ICO greater powers. No doubt many organisations will also have in mind their relationships with their own regulators.
It is fair to predict that businesses should also prepare for an increase in litigation because if a person can demonstrate that they have suffered damage in the form of distress, then they might be entitled to damages.
While any damages awarded would likely be minimal, there is obviously a nuisance value, as well as a financial value, to dealing with such claims. If one succeeds, it might open the floodgates – including to group actions.
Perhaps more importantly, businesses must bear in mind the potential reputational damage of non-compliance, particularly when it comes to two large groups of stakeholders who are likely to make most use of the Sar regime: employees and customers.
More so than ever before, people are taking seriously the need to protect their personal information and any business seen not to be taking appropriate steps to do likewise is likely to suffer as a result.
Plan for the future
What should businesses be doing now and going forward? If it is not already happening, then how businesses respond to Sars should be reviewed as part of their GDPR planning to ensure compliance by May 2018.
Businesses need to consider what types of personal data they have (depending on the nature of the business) and where it is located. Internal practices and policies for responding to Sars should be reviewed to ensure they are up to date and reflect the recent and proposed developments outlined above.
The responsibility for responding to Sars often falls to compliance. Consideration should be given as to whether the team has received appropriate training to ensure they are aware not only of the changes, but also of the more nuanced and tactical aspects. For example, organisations should be aware of Sars being made for collateral purposes – particularly litigation opponents already suing the business – and ensure the legal department is involved in potentially contentious Sars.
Businesses also need to consider how they will cope with an increase in demand and tighter timescales to review large amounts of data. Do they need to recruit externally or is there capacity internally? Does the business need to think about outsourcing the work to a law firm and, if so, on what terms? Examples include a fee per Sar, a fee based on the number of documents to be reviewed and the more traditional hourly rate.
Our increased use of technology has largely contributed to the issue, given the vast volume of data businesses now generate and store. Businesses should, in turn, ensure that they are making the most of technology when it comes to Sars, including artificial intelligence-based tools, and use it to assist with the review process. Used intelligently, technology can make responding to a Sar quicker and cheaper, or at least mitigate the effect technology has had on the proliferation of data.
Like other aspects of the GDPR, the more businesses plan and prepare now, the better. While the changes are likely to result in an increased burden on businesses, following the above steps should help reduce that burden while ensuring organisations are able to comply with the requirements of the Sar regime.
Abigail Healey is a partner and Mark Chesher is legal director of Addleshaw Goddard
