02 September, 2020
The General Data Protection Regulation (GDPR) has been in force for over 2 years now, but it would appear that many organisations are still coming to terms with the new Regulation and the impact it can have on their day to day practice, not least the colossal increase in volume of subject access requests (SARs) which appear to be creating as much pressure and confusion as the threat of a data breach itself.
According to the Information Commissioner's Office's own official statistics, mishandling of SARs is by far and away the number one data protection issue complained about by the public. In 2019 more than half of the 18,000 data protection-related complaints lodged with the Information Commissioner's Office (ICO) concerned individuals' rights to access their personal data held by organisations. As a result, the ICO has published guidance to assist organisations in dealing with requests from individuals for their data.
A subject access request (SAR) is a request made by or on behalf of an individual for information. The request does not have to be in any particular format. It entitles an individual to find out and see what personal data is being held about them by an organisation, and more importantly why that organisation is holding it, and who that organisation may disclose that information to. Any individual is entitled to ask for this under Article 15 of GDPR which is effective through the Data Protection Act 2018.
Under the new GDPR, the request can be made verbally, in writing or via social media. The request can be sent to any Department of the organisation, and as long as it makes clear what the individual is asking for then it will be deemed as a valid request and should be treated as such. Once received, the requests should be handled in accordance with the requirements of the Data Protection Act 2018 / GDPR.
In the majority of cases no fee will be charged, unless the organisation can show that the request is either manifestly unfounded in its nature, or is so excessive or complex it will require additional time and administrative resources to produce it. If that is the case, the organisation concerned should advise you of those charges before undertaking the request. They should do this within 1 month of receiving your request.
Under Article 12 of the GDPR, a data controller must respond to a SAR without undue delay, and in any event within 1 month of receipt of the request. This can be extended by a further 2 months if the request is complex or a series of requests have been made by the data subject. The rules stipulate that requests must be dealt with promptly. If the request is complex or on a large scale, agreement should be sought to extend the time to respond within that 1-month time period. The responsibility for complying with a SAR lies solely with the data controller.
If there is a good reason not to comply with the request then you should be informed about those reasons. If you are not happy with the response given, or the organisation have simply failed to respond to your request within 1 month, then you have a right to complain to the ICO, who have the ability to enforce your right ultimately through a judicial remedy.
The ICO have powers to issue the organisation with warnings, reprimands, compliance orders, and in extreme circumstances can impose large fines on organisations who have breached the GDPR. If a fine is deemed appropriate the ICO will have considerable discretion to set the level. There are no fixed penalties or minimum fines. The ICO will also take into account past conduct of the organisation concerned. The Data Protection Act 2018 also makes it a criminal offence to alter, deface, block, erase, destroy or conceal personal data to prevent disclosure to a data subject.
The organisation must inform you immediately if they have mishandled your SAR, and as a result breached your data, privacy, or personal information. In such cases you may have a claim for compensation.
If on receipt of your subject access request you believe there has been a data breach, a mishandling of your information or a breach of your privacy or confidence, then under the GDPR there is a right to claim compensation. Any data subject that has suffered damage as a result of processing that is not in compliance with the Regulations will have the right to receive compensation from the controller for the damage suffered. If a claim for damages can be proven then claims can be made for distress alone, whether or not there has been any attached financial loss or personal injury.
It is clear since the introduction of the GDPR that Claimant Solicitors are noticing a significant increase in enquiries from individuals seeking to bring civil claims against organisations for breaches of the GDPR caused by mishandling of SARs. Whilst the level of damages individuals can expect to receive is relatively low as the case law emerges, the cost to the organisations of dealing with such claims can be huge. In most cases, data breaches happen because of human error and/or a failure to implement reasonable and robust processes. It appears that the claiming of compensation is the only way some organisations will be persuaded to take their responsibilities seriously and make the necessary improvements to their processes. Organisations that do not do so stand to face more than reputational risk when their customers' data is mishandled of affected by a data security breach.
Time spent getting robust policies and procedures in place now may therefore pay dividends in the long run.
If you believe you may have suffered a data breach, or have any enquiries relating to the mishandling of a SAR which may give rise to a possible civil claim, please contact Lisa Atkinson, Associate at Forbes Solicitors on 01254 222 448 or email at firstname.lastname@example.org for a free initial consultation, or to receive further information and guidance.
If your organisation needs training or help with handling SARs or GDPR compliance generally please contact our Government, Procurement & Information team here.