Shorter Reads

Data subject access requests are ‘weaponised’ as disgruntled customers seek to ‘tie businesses in knots’

Businesses are seeing a dramatic increase in coordinated data subject access requests, or DSARs, as disgruntled customers seek to ‘tie businesses in knots’. Patrick Wheeler, Partner and Head of Data Privacy at Collyer Bristow explains.

1 minute read

Published 10 February 2022

Authors

Share

Key information

DSARs allow an individual to ask any organisation to provide copies of all of the data they hold about that individual. DSARs have steadily increased since 2018 when the £10 fee was abolished.

But now, as businesses hold more data on individuals and those individuals increasingly understand the importance of that data, DSARs are being used by disgruntled customers in a coordinated way to deliberately tie a business in knots. DSARs are being weaponised.

Businesses are being simultaneously flooded with DSARs by individuals who recognise that these requests take time and money to action. They are being driven by coordinated groups of individuals who are unhappy with the way a business operates.

Under the UK GDPR regulations, organisations have just 30 days to respond to a DSAR, in most cases. Organisations must provide copies of all data that is held on that individual. Often, that will mean providing copies of documents that first have to be redacted to remove any references to other individuals. That document appraisal process is rarely automated.

When facing large numbers of DSARs over a sustained period this, understandably, consumes an extraordinary amount of management time and money.

Businesses cannot afford to ignore these requests even when they believe them to be vexatious. A failure to respond or an unexplained delay can result in regulatory enforcement action being taken by the Information Commissioner’s Office. DSARs can only be challenged on very narrow grounds, such as repeated requests being made by the same individual.

Excluded information is confined to a short list of specific exemptions which are narrowly defined, such as legal professional privilege, child abuse data, and data which if disclosed could prejudice a criminal investigation.

DSARs play a valuable role in keeping businesses accountable for the data they hold and how it is used. It is a right that should not be eroded but at present, there is no accountability for individuals in how they choose to exercise that right. Unless an individual clearly states that their motive is other than to learn what data the business holds about them, that business cannot refuse to comply on the basis of speculation about the individual’s motives.

DSARs were not designed to punish or frustrate organisations, but the balance is tilting in that direction and it is perhaps time to review the DSAR regime.

Download our checklist on how to respond to a DSAR here.

As first published on London Loves Business.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

Data subject access requests are ‘weaponised’ as disgruntled customers seek to ‘tie businesses in knots’

Businesses are seeing a dramatic increase in coordinated data subject access requests, or DSARs, as disgruntled customers seek to ‘tie businesses in knots’. Patrick Wheeler, Partner and Head of Data Privacy at Collyer Bristow explains.

Published 10 February 2022

Associated sectors / services

  • Data Protection

Authors

DSARs allow an individual to ask any organisation to provide copies of all of the data they hold about that individual. DSARs have steadily increased since 2018 when the £10 fee was abolished.

But now, as businesses hold more data on individuals and those individuals increasingly understand the importance of that data, DSARs are being used by disgruntled customers in a coordinated way to deliberately tie a business in knots. DSARs are being weaponised.

Businesses are being simultaneously flooded with DSARs by individuals who recognise that these requests take time and money to action. They are being driven by coordinated groups of individuals who are unhappy with the way a business operates.

Under the UK GDPR regulations, organisations have just 30 days to respond to a DSAR, in most cases. Organisations must provide copies of all data that is held on that individual. Often, that will mean providing copies of documents that first have to be redacted to remove any references to other individuals. That document appraisal process is rarely automated.

When facing large numbers of DSARs over a sustained period this, understandably, consumes an extraordinary amount of management time and money.

Businesses cannot afford to ignore these requests even when they believe them to be vexatious. A failure to respond or an unexplained delay can result in regulatory enforcement action being taken by the Information Commissioner’s Office. DSARs can only be challenged on very narrow grounds, such as repeated requests being made by the same individual.

Excluded information is confined to a short list of specific exemptions which are narrowly defined, such as legal professional privilege, child abuse data, and data which if disclosed could prejudice a criminal investigation.

DSARs play a valuable role in keeping businesses accountable for the data they hold and how it is used. It is a right that should not be eroded but at present, there is no accountability for individuals in how they choose to exercise that right. Unless an individual clearly states that their motive is other than to learn what data the business holds about them, that business cannot refuse to comply on the basis of speculation about the individual’s motives.

DSARs were not designed to punish or frustrate organisations, but the balance is tilting in that direction and it is perhaps time to review the DSAR regime.

Download our checklist on how to respond to a DSAR here.

As first published on London Loves Business.

Associated sectors / services

  • Data Protection

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up

    Find out about Business

    Find out about Dispute Resolution

    Find out about Individuals & Families

    Find out about Real Estate

    We are Collyer Bristow - The law firm for those that
    value individuality, creativity and collaboration.

    Legal & Pricing info Regulatory InformationAccessibilitySitemapPricing and service information

    Listen to our latest podcast: No notice, no claim? (Drax v Scottish Power)

    Read our latest article: Election 2024: Domicile, Inheritance Tax, and change promised by the new Labour government

    Watch our latest video: What is a nuptial agreement? A full guide to everything you need to know about pre and post nups

    Read our latest article: Election 2024: Initial comments on potential tax changes

    Read our latest article: Labour wins UK general election: What changes are coming for employers?

    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close