In 2002-2003 an outbreak of SARS (Severe Acute Respiratory Syndrome) in southern China justifiably sparked fears of a global pandemic. Perhaps with some irony, SAR is also the acronym often used for denoting a “Subject Access Request” under data protection legislation, where a data subject asks a data controller for copies of his or her personal data.
The benefits of making SARs by data subjects have become increasingly well known. For example, they can be used to place pressure on a business to escalate a complaint; and they are often used to quickly obtain records for use in legal disputes. Equally, the effort required by a business to effectively respond to a SAR has been the subject of much commentary, and is recognised as being a time-consuming, costly and often distracting exercise.
But the advent of the EU General Data Protection Regulation (GDPR), which comes into force in May of next year, significantly augments the risk (including for UK business, as the UK government has committed to GDPR, notwithstanding Brexit).
Firstly, in addition to the right of access to personal data being updated by Article 15 of GDPR, there is now an accompanying right for data subjects to have their personal data rectified or erased. In the case of rectification or erasure, this must be undertaken without undue delay (and in Ireland, draft legislation effecting GDPR provides that access, rectification, or erasure is completed within one month of a request).
Secondly, data subjects will have a new footing to make direct claims against a data controller for breaching GDPR in respect of their personal data. This means that instead of having to make a complaint to the data protection authorities, an individual can take legal action against the data controller directly, and without any requirement to demonstrate that loss has been suffered.
What this means is the power wielded by a data subject in respect of his or her personal data will soon become much greater, backed by greater responsibilities placed on business (as data controllers) in respect of the personal data it processes.
A New Risk?
In an age of increasing consumer activism, underpinned by greater transparency of consumer rights and access to resources that support their enforcement, a new risk to business, and particularly consumer facing business, is co-ordinated subject access requests: a wave of SARs submitted to a business as part of a facilitated action against it.
The scenario is simple: for whatever reason, your business has become the subject of consumer activism, and so hundreds (perhaps thousands) of your customers submit subject access requests at the same time, all with the likely promise of a later request for rectification or deletion. Data protection law says you have a limited time to respond, and you cannot charge the customers for dealing with the request.
The first instinct of any business faced with such a scenario might be to seek the help of the regulator or the court. But, unlike freedom of information legislation, neither GDPR nor any of the existing or proposed future data protection legislation provides for the denial or postponement of an individual’s rights as a data subject simply because the exercise of those rights is thought to be vexatious, disproportionate, or disruptive. So, seeking such a denial would unlikely have the desired outcome, particularly since obvious reference cases (like the Durant case in the UK) don’t directly address the issue, and existing Codes of Practice just don’t help.
So, faced with legal action if it does not respond appropriately, how would your business manage in these circumstances? What resources would be needed to manage and respond to the requests, what disruption would it bring to the business and its systems, what failings might it expose and what costs would be incurred in meeting the requests?
In the face of such questions, this is a risk that should appear on the risk register of your data protection officer, or other person responsible for data protection. It should be assessed in the context of the overall risk that your business may face multiple SARs, as well the effectiveness generally of the data protection programme of your business, in particular:
- the efficiency and effectiveness of the procedures adopted for responding to SARs; and
- the ease of locating, collating, reviewing, cleansing, rectifying or erasing personal data processed by your business.
Robust and detailed procedures for receiving, verifying and responding to SARs, and related requests to delete or rectify personal data, are a core element of any data protection programme. These procedures should respond to all categories of personal data processed by the business, and for each detail not only the information that must be provided to a data subject as part of a SAR but also identify where the personal data is to be found within the information management systems of the business.
These procedures should also follow any relevant Codes of Practice, not only so the risk of failing to comply with legal obligations is reduced, but also to help identify early those circumstances where a SAR may not need to be immediately fulfilled.
Finding the personal data
Few data subjects will simply want to be provided with the information related to the processing of their personal data, they will also want to receive a copy of it and they may want to have it rectified or deleted. However, the experience of many data controllers is that finding the personal data of an individual data subject is often challenging, time consuming and resource hungry. The process is potentially overwhelming if a significant number of SARs are received in a short period.
Typically, this is because information management systems have not been designed with data protection principles in mind. They tend to be disaggregated, unconnected, and overloaded with personal data, over which insufficient control has been exercised in its processing.
Yet, to quote the view of the UK’s Information Commissioner:
“Given that subject access has been a feature of data protection law since the 1980s, your information management systems should facilitate dealing with SARs. They should allow you to easily locate and extract personal data in response to subject access requests. Systems should be designed to allow for the redaction of third party data where this is deemed necessary. Not only should your systems have the technical capability to search for the information necessary to respond to a SAR, but they should also operate by reference to effective records management policies. For example, it is good practice to have a well-structured fileplan and standard file-naming conventions for electronic documents, and for the retention and deletion of documents to be governed by a clear retention policy. If you are buying a new information management system, you should consider including requirements in the specification about searching and SARs”
Our view is that an effective information management system, of the type identified by the ICO, is critical to an effective data protection programme generally, not just to SARs specifically. However, this does not mean advocating significant investment in new technology. Rather, it means gaining a thorough understanding of the business needs that are fulfilled by its processing of personal data, then establishing a robust data governance framework which facilitates data processing in an aggregated, non-repetitive and efficient way.
In the context of responding to a SAR, this will facilitate:
- identification of where personal data is stored (whether physically or digitally);
- collation of personal data in a format that responds appropriately to the SAR;
- a review of the personal data so the information concerning the personal data can be verified, and the impact on the rights and freedoms of others by disclosure of the personal data established;
- cleansing of the personal data and the removal of items that would adversely affect the rights and freedoms of others; and
- the rectification or deletion of personal data in an auditable way.
As we approach the implementation date for GDPR, it is time to move from establishing the “what” of GDPR, to the “how”. This means addressing the fundamentals of how GDPR will be implemented within your business through its people, policies, procedures, and systems. In doing so, properly understanding the practical impact of GDPR (and its constituent elements, like subject access rights) on your business will be critical, ensuring a risk-based approach is adopted and longevity is built into the overall GDPR programme. There is no cure to GDPR, but what you do now will dictate the ability of your business to deal with the likely strains of its impact.
 This risk has already manifested itself in the financial services industry, and is likely to contaminate other industries given the nature of GDPR.
 Durant v Financial Services Authority  EWCA Civ 1746
 The ICO’s SAR Code of Practice (20170609) states “a SAR that is made as part of a bulk request has the same legal status as a SAR that is made individually; the purpose for which a SAR is made does not affect its validity, or your duty to respond to it”.
 It is acknowledged that not all businesses face this risk in the same way. Consumer businesses face most risk, particularly those whose relationship with the public is poor or where public backlash may be a risk based on particular issues.
 (per GDPR, Article 15 (1) (a-h))
 For example, if a request is made orally and the identity of the requestor cannot be verified.
 As required by GDPR Article 15(3)
 ICO’s SAR Code of Practice, at Page 210