Buried among the weighty provisions of the General Data Protection Regulation (GDPR) are some changes to the data subject access request (Sar) regime under the existing Data Protection Act 1998. The changes could be costly, particularly for businesses that hold large amounts of personal data on individuals. Non-compliance can lead to regulatory enforcement, litigation and a whole host of reputational issues.
The government has announced that it will update existing data protection laws and bring the EU's impending GDPR into domestic law through a new Data Protection Bill.
The GDPR, which comes into force in May 2018, will introduce changes to the Sar regime that will make it easier – and free – for individuals to require an organisation to disclose personal data it holds on them.
Businesses might be forgiven for thinking that it is not the GDPR provision that should cause them most worry. Indeed, it might be difficult for some to see past the headline-grabbing fines (4 per cent of global turnover or £17m). Further, the Sar regime is not new, given that individuals can make Sars under existing law. However, businesses – particularly those that by their nature store a large amount of personal data – should not underestimate the impact the changes to the Sar regime might have on them going forward.
There are several reasons for this. Many organisations have already reported an increase in the number of Sars being made of them, This is likely to increase further with the abolition of the current £10 fee under the GDPR. In a government impact assessment, it estimated that abolishing the fee might result in an increase in the number of Sars of between 25 per cent to 40 per cent.
Under the GDPR, businesses will be required to respond to a Sar within a month rather than the current 40 days, placing an increased burden on already stretched resources.
Several recent court decisions have been data-subject friendly. Previously, if the Sar regime was being used for collateral purposes, for example by a litigation opponent, then it might have been possible to simply refuse to respond to the Sar. Now, it seems that is much more unlikely, so businesses can expect more Sars being made for tactical reasons, such as to gain an advantage in litigation or to obtain data that might then be used to initiate proceedings.
- Changes to the data subject access request (Sar) regime could be costly.
- The volume of personal data held by some businesses makes compliance more difficult.
- Businesses should also prepare for an increase in litigation.
It might even be possible for a litigation opponent to obtain legally privileged documents by the Sar back door, if those proceedings are taking place in a foreign jurisdiction. A recent case – Dawson-Damer versus Taylor Wessing LLP – held that the privilege exemption only applies if privilege would be recognised in proceedings in the UK.
The current law also permits a business to refuse to supply the data if doing so would result in disproportionate effort, yet the courts appear to adopt a different view of proportionality to what most businesses might expect. For example, a court decision in Deer versus University of Oxford resulted in the university reviewing 500,000 documents at a cost of £116,000, which meant 33 new documents being provided to the data-subject.
The sheer volume of personal data held by some businesses makes compliance more difficult and time-consuming. The GDPR also brings in a new – in some respects wider – definition of what constitutes personal data.