Shorter Reads

Rights without responsibilities?

A Data Subject Access Request (DSAR) is a fundamental individual right under the UK’s General Data Protection Regulation (GDPR). Everyone has the right to know how their personal data is being processed by an organisation which controls that data.

1 minute read

Published 10 March 2022

Authors

Share

Key information

  • Specialisms
  • Business
  • Services
  • Data Protection

Website cookie notices have raised awareness that an individual’s personal data is often used for purposes not clearly explained to them and/or not with their active consent. DSARs are therefore a useful and valuable tool for customers, employees, service users and others to hold a larger organisation to account.

Where multiple individuals have similar issues, an argument can be made for coordinating DSAR requests, but where groups of customers, tenants, service users and others combine and submit a barrage of DSARs as a tactic in a dispute to delay and disrupt, has a line been crossed?

The unstated and difficult to prove objective of “weaponised DSARs” is to tie up time and resource as a means of applying pressure to the business and improving a negotiating position. That is not what the DSAR right was designed for.

For each DSAR an organisation must satisfy itself that the requester is indeed the data subject or has their authority. It must then search multiple locations to identify electronic and hard copy materials containing the individual’s personal data, review those materials to establish what is and is not relevant personal data (not as easy as it sounds) whilst ensuring that it does not reveal personal data of other individuals, unless those individuals have consented. Irrelevant or legitimately excludable material must then be removed before preparing and providing the data in a suitable form in its response.

Even for businesses with effective DSAR response policies and procedures, responding to large numbers filed at the same time can impose a considerable burden in a short timescale, since it is not a tick box exercise.

Some may see nothing wrong with the weaponisation of DSARs. Clients and customers are invariably in a much weaker position than the business with which they are in dispute so this may be seen as a counterbalance.

However, the use of this valuable right as part of a coordinated campaign for reasons unconnected with a genuine desire to know what data is held and what it is used for, and without any responsibility or accountability for the requester, other than (perhaps) the organiser, risks abusing and devaluing that right.

A data controller can object to or refuse to answer a DSAR if it can be shown to be “manifestly unfounded” or “manifestly excessive” but proving this is difficult except in the most obvious cases. Each individual data subject can argue that their DSAR is neither excessive nor unfounded: they genuinely wish to know what data is being processed.

At some point a brave business on the wrong end of a DSAR avalanche will have to take the risk of being sanctioned for non-compliance in order to establish whether such tactics can justify a refusal to respond.

 

First published by The Times on 10th March 22

Message us on WhatsApp

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

Rights without responsibilities?

A Data Subject Access Request (DSAR) is a fundamental individual right under the UK’s General Data Protection Regulation (GDPR). Everyone has the right to know how their personal data is being processed by an organisation which controls that data.

Published 10 March 2022

Associated sectors / services

Authors

Website cookie notices have raised awareness that an individual’s personal data is often used for purposes not clearly explained to them and/or not with their active consent. DSARs are therefore a useful and valuable tool for customers, employees, service users and others to hold a larger organisation to account.

Where multiple individuals have similar issues, an argument can be made for coordinating DSAR requests, but where groups of customers, tenants, service users and others combine and submit a barrage of DSARs as a tactic in a dispute to delay and disrupt, has a line been crossed?

The unstated and difficult to prove objective of “weaponised DSARs” is to tie up time and resource as a means of applying pressure to the business and improving a negotiating position. That is not what the DSAR right was designed for.

For each DSAR an organisation must satisfy itself that the requester is indeed the data subject or has their authority. It must then search multiple locations to identify electronic and hard copy materials containing the individual’s personal data, review those materials to establish what is and is not relevant personal data (not as easy as it sounds) whilst ensuring that it does not reveal personal data of other individuals, unless those individuals have consented. Irrelevant or legitimately excludable material must then be removed before preparing and providing the data in a suitable form in its response.

Even for businesses with effective DSAR response policies and procedures, responding to large numbers filed at the same time can impose a considerable burden in a short timescale, since it is not a tick box exercise.

Some may see nothing wrong with the weaponisation of DSARs. Clients and customers are invariably in a much weaker position than the business with which they are in dispute so this may be seen as a counterbalance.

However, the use of this valuable right as part of a coordinated campaign for reasons unconnected with a genuine desire to know what data is held and what it is used for, and without any responsibility or accountability for the requester, other than (perhaps) the organiser, risks abusing and devaluing that right.

A data controller can object to or refuse to answer a DSAR if it can be shown to be “manifestly unfounded” or “manifestly excessive” but proving this is difficult except in the most obvious cases. Each individual data subject can argue that their DSAR is neither excessive nor unfounded: they genuinely wish to know what data is being processed.

At some point a brave business on the wrong end of a DSAR avalanche will have to take the risk of being sanctioned for non-compliance in order to establish whether such tactics can justify a refusal to respond.

 

First published by The Times on 10th March 22

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.