The rise in data requests is costing businesses millions.
According to research conducted by HR and law group Loch Associates, businesses are facing significant costs due to an increase in data subject access requests (DSARs). DSARs are made by employees who want to know what information an organisation has about them, such as medical records or WhatsApp messages. It is mandatory to respond to these requests within 30 days and provide all requested data.
On average, a DSAR from an individual costs an SME around £20,000. The Information Commissioner’s Office (ICO), responsible for handling DSAR complaints, has seen a 23% rise in complaints from April 2022 to March 2023. Joe Milner, a partner with Loch Associates Group, believes the actual increase in DSARs is even greater now since the ICO only has access to the number of complaints.
Milner explains that individuals have increasingly used DSARs as a tool, sometimes as a “fishing expedition,” to support their disputes with organisations. Raising a DSAR has become a default option for individuals seeking to negotiate exit packages or settlements from a more informed position. Milner attributes this rise in awareness and use of DSARs to the introduction of GDPR in 2018.
He emphasises the importance of having clear processes in place to gather requested data within the 30-day limit, as this can be a costly and time-consuming process. Training staff, establishing record-keeping protocols, and ensuring the retention of relevant information while removing unnecessary data can result in cost savings in terms of information storage.
To effectively manage DSARs and mitigate costs, here are some recommended actions for businesses to consider:
- Establish Clear Processes: Develop well-defined procedures for handling DSARs, ensuring that employees are aware of their responsibilities and the steps to follow when responding to requests.
- Timely Response: Adhere to the 30-day response deadline mandated by regulations. Promptly acknowledge receipt of the request and provide regular updates to the individual throughout the process.
- Data Inventory: Maintain a comprehensive inventory of the personal data your organisation holds, including its location, purpose, and legal basis for processing. This inventory will facilitate efficient responses to DSARs.
- Staff Training: Educate employees about DSARs, their rights and obligations, and the importance of data protection and privacy. Provide training on how to handle requests, identify relevant data, and ensure compliance with legal requirements.
- Record-Keeping Protocol: Implement robust record-keeping practices to document all steps taken in response to DSARs. This includes details of data searched, redacted or excluded information, and reasons for any exemptions applied.
- Data Minimisation: Regularly review and cleanse stored data to ensure that only relevant information is retained. Removing unnecessary data not only reduces storage costs but also simplifies the process of responding to DSARs.
- Data Security: Maintain appropriate security measures to protect personal data from unauthorised access or breaches. Encryption, access controls, and monitoring systems can help safeguard sensitive information.
- Seek Legal Counsel: Engage with legal professionals experienced in data protection and privacy laws to ensure compliance with applicable regulations. They can provide guidance on complex requests, exemptions, and legal obligations.
By implementing these measures, businesses can better manage the impact of DSARs, reduce costs, and ensure compliance with data protection regulations, ultimately protecting their reputation and maintaining trust with employees.