A business has to overcome numerous challenges when it receives a request for access to personal data and it has a short time in which to comply. However, if it makes a genuine endeavour to do so, its data protection regulator may be lenient towards it.
The EU General Data Protection Regulation (GDPR) has given businesses many new responsibilities. One of these is the vast amount of data subject access requests (DSARs) that come from their customers and employees.
Article 15 of the GDPR states that a data subject has the right to access the personal data that the data controller holds about them.
Some reports estimate that the average cost of compliance with such a request can reach $1,400. That is because the processing of one request may take hours, days, or even weeks. Big companies can receive hundreds of these requests.
Although access requests are not new, the GDPR has made compliance harder because it has made access to personal data a right. Businesses cannot charge fees for access and they have to comply with requests within 30 calendar days of receiving them, Noemí Alonso Calvo, privacy counsel at bulebird bio, said at a PrivSec Global session entitled "Navigating Complex Employee DSARs".
The costs of compliance are high, but non-compliance can cost businesses even more. The GDPR states that failure to comply with DSARs may result in administrative fines as high as €20m, or up to 4 percent of annual global turnover, whichever is the greater.
Various challenges may arise when a business receives a request for access, especially from an employee.
One of the most common problems is the unwillingness of various parties to deal with each other, according to Bradley Tosso of the Gibraltar Regulatory Authority. In many cases, employees, or former employees, who make these requests do so with an intent to fish for information in a dispute against the company or to pressurise the company in negotiations that are already taking place.
It is important for the people who handle the request to treat it coldly and talk to the data subject to understand the motive behind the request, Tosso advised.
This cannot only reduce the volume of data that they need to provide to the data subject, it can also reduce processing time significantly.
“Engage with the data subject, otherwise the DSAR will never end,” Filipe Lousa, privacy and compliance director of Globalization Partners, added.
Proper procedures can help to further the processing of DSARs. These might involve communication between various departments, such as compliance, human resources (HR) and IT, that are handling them.
There is no standard format for a DSAR. It can come through a dedicated website, through internal processes, or through an HR department, either in written or oral form.
Once a DSAR comes through any of those channels, the 30-day countdown to the deadline begins, Lousa said, adding that it was crucial for organisations to train all their employees and ensure that requests are not lost.
The deadline, volume and people’s willingness to cooperate may all cause problems for businesses but, when it comes to investigating a DSAR complaint, it is more important for a business to show the authorities that it has made a “genuine endeavour” to solve the case, Tosso said.
Accountability is one of the main principles of the GDPR, he explained. Even if compliance proves difficult, regulators take it as a mitigating factor when a business shows that it has the necessary measures and training in place. Tosso advised businesses to “build up an argument when a regulator engages with them concerning a complaint”.
He also noted, however, that most regulators have procedures that allow the parties to resolve their cases. He thought that businesses would be wise to make use of those procedures.