Many organisations have experienced a rise in costs for IT and legal services on the path to complying with the European Union’s General Data Protection Regulation (GDPR).
Estimates, a year and a half on from the GDPR’s roll-out, put additional spending and the ongoing cost of consulting and technological services at over £100,000 for mid-sized operations – while, at many larger, multi-national organisations, costs have breached £1 million, according to analysis by DataGrail.
A key provision, within the new baselines, is the ability to respond swiftly to subject access requests (SARs). These are approaches, by an individual, to obtain details of how, and for what purpose, their personal information is used an organisation. The two groups most likely to make such requests of an organisation are their employees and customers.
The enormity and challenge posed by these requests are considerable – as are the costs. Research, collected in 2019, found that almost three quarters (71 per cent) of businesses in the UK have faced SARs from their staff since May 2018, and more than two-thirds (67 per cent) have had to increase their expenditure levels in order to process these requests. And these are figures, and operational costs, that are heading in just one direction as our society, and workplaces, become ever-more digitalised.
SARs, as a subject, are not new. However, the provisions of the GDPR and UK Data Protection Act 2018 have given them additional weight and sharpened their cut through, for subjects and processors.
The changes, which came into effect with the revised 2018 regulations, are as follows:
Under pre-2018 legislation – the Data Protection Act 1998 – a £10 fee was chargeable to the individual on opening a SAR. However, with the introduction of the GDPR, this charge has been largely removed, except in cases where a request is “manifestly unfounded or excessive”, or “repetitive in character”. In this such scenario, organisations can charge a “reasonable fee”, taking into account the administrative costs of providing the information or may refuse to act altogether. This could discourage very onerous SARs, but as yet there is no guidance on what is “manifestly unfounded” or “excessive” within the documentation produced by the UK Information Commissioner’s Office (ICO). It is therefore for the organisation or employer to show that the request is "manifestly unfounded" or "excessive", and this poses in such dispute, for lack of precedent or written definition.
GDPR changes things
Previously, an organisation issued with an SAR had up to 40 days to respond. However, under the GDPR, organisations must now respond without undue delay and, in any event, within one month or their receiving the request. There is the potential for an extension of an additional two months if the request is particularly complex, or there are numerous requests, but for the most part organisations will need to comply with the one-month time frame. The deadline for return of details starts from the time the organisation receives a request, together with any information it needs to verify the identity of the individual making the request.
The procedure for making a SAR has fundamentally changed. Now, under provisions of the GDPR, requests no longer need to be made in writing. This means a request could be made verbally, over the phone, or via social media, to any person in an organisation. There is also no requirement to cite the words "subject access request" in this process – it just has to be clear that the individual is seeking access to their own personal data.
Many organisations be unaware of these changes, and the potential headache and cost that awaits their receiving an SAR. For smaller enterprises, the post-2018 SARs are especially potent, and could be potentially fatal, given low operating budgets and workplaces capacities. It’s reasonable to assume, for example, that the majority of UK SMEs have no in-house IT unit or specialist team capable of pulling the data required by an SAR, and therefore will be compelled to either outsource the process, at great cost, or breach the “one month” compliance window.
There are some steps, however, that can be taken to prepare teams, of all sizes, for an SAR.
Mapping data first
The first is to ensure that all data within an organisation, and network, is mapped. This means creating an index of both structured and unstructured data, so data protection officers, or IT teams, easily pull files containing data subject identifiers. This information can be held in any file type, including word documents, spreadsheets, notepad files, XML files, and even zip files. In regard to data subject identifiers, the search needs to be able to flag patterns and regular expressions that apply to GDPR data across the 27 member states, such as national identification, passport, personal ID, and VAT numbers.
The second fundamental is access. Organisations need to have full visibility of who has access to data and system permissions. Its therefore crucial to establish, at an early stage, how information can be pulled without delay – particularly from cloud-based email operators and other service providers. This will help avoid a ‘permission creep’ that sets in over time, when access permissions are set too broadly, presenting further data management challenges.
Organisations should also bear in mind that internal data protection officers (DPOs) will invariably be the ones that have the task of complying and ensuring that the privacy rights of others are not impacted. This means there may be a considerable amount of redaction required, prior to releasing the SAR data. This is something that should be considered in e-mail etiquette – although that’s perhaps a subject for another article.
To avoid the prospect of a heavy fine from the ICO – which currently stands at a maximum of 10 million Euros (or the equivalent in sterling) or 2 per cent of the total annual turnover – it is advisable that businesses make themselves familiar with SARs, understand what they will mean, and take preparations to ensure they know what data they have, where it is, and how to find it. This way, they can beat the clock before it has even started ticking and find the requested records in a speedy fashion, in full compliance with the GDPR and Data Protection Act 2018.
Barry Cook, Privacy and Group Data Protection Officer, VFS Global