ICO publishes updated Data Subject Access Request guidance

Preparation

Much is made in the guidance of the importance of preparation. The guidance sets out that data controllers should:

1. Train their workforce to recognise requests (e.g. requests made verbally or over social media);
2. Appoint specific people to deal with requests;
3. Put in place a data subject rights requests policy to enable with the smooth handling of DSARs; and
4. Have technical systems in place to assist with the retrieval of requested data.

These steps will certainly assist, but unfortunately DSARs are a tool used by many data subjects to cause as much pain as possible to data controllers. Having taken these steps, data controllers will be required to search for data subjects’ data, review and redact as appropriate, and provide it to the data subject by the statutory deadline.

Reasonable searches

It is positive news that our representations to the ICO based on their draft guidance has been heeded.

In the draft guidance, no mention was made of the fact that a search for data in response to a DSAR need only be ‘reasonable’. This would have been a gift to data subjects who use the DSAR process as a means to impose a financial and administrative burden on data controllers as a form of gaining leverage (e.g. employees who are in dispute with their employers).

Fortunately the ICO have taken our comments on board and specified that data controllers ‘are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information’.Data controllers can therefore limit searches to those that are reasonable and proportionate – there is no obligation to make every possible effort to find all instances of personal data on the data controller's systems. 

How we can help

We have extensive experience of working with clients to respond to DSARs, making the experience as pain-free and cost-effective as possible. From receipt, to the carrying out of reasonable searches, to reviewing and redaction, and production of a final product to provide to the data subject.

Bearing in mind that the intent of many data subjects is often nefarious when submitting DSARs (i.e. it is not purely to see how their data is being processed), we work with clients to make the whole process as reasonable and smooth as possible, striking a balance between compliance with regulatory requirements and the needs of the business.

For more information contact those listed on this page or your usual Lewis Silkin contact.