The evolution of Subject Access Requests into social media

As more consumers make use of social media to air grievances and complaints at organisations for poor practices or bad service, tech savvy and data protection aware consumers will start to catch on to the idea of serving Subject Access Requests (“SARs”) through social media to organisations processing their personal data.

What are SARs and why are they used?

In the UK, a typical SAR is instigated by a data subject sending their request in a letter, email or fax. Organisations are required to respond within the statutory period of 40 days (provided that they are satisfied with the identity of the data subject). Organisations are also entitled to charge a fee for dealing with a SAR but in reality, this fee is outweighed by the cost of dealing with the request.

Most SARs are issued by disgruntled individuals who feel that their personal data are being poorly handled or improperly shared with third parties. SARs are also commonly used as a fishing expedition for information that may prove useful for a data subject in dispute with an organisation. In any event, complying with SARs is an administrative and financial burden for organisations. 

SARs and social media

The Data Protection Act 1998 (“DPA 1998”) introduced SARs under section 7, years before the social media that we know today existed. Fast forward to 2004 and Facebook was introduced which revolutionised the concept of social media. Soon after, similar platforms such as Twitter started appearing, providing individuals with various channels to communicate their complaints and requests.

The data protection principles were not intended to be a strict set of rules, unable to adapt to a changing environment, but rather a set of principles which could adapt to various mediums as data handling practices evolved. But, the speed of this evolution has been faster than expected.  

What should organisations be doing?

The ICO’s Code of Practice on SARs recognises social media as a valid way to submit SARs and recommends that organisations: (1) assess whether they may receive SARs through social media; and (2) ensure that they take reasonable and proportionate steps to respond effectively as data controllers.

It is therefore important for organisations to be alive to the fact that SARs can be received across multiple social media platforms (including Facebook and Twitter) and that in some cases, SARs may not even be managed by data protection specialists. For example, social media accounts can be managed by third parties such as marketing and PR companies. Organisations should be aware of various third party access points available to data subjects when serving SARs and ensure that third parties are contractually bound to route any SARs back to the organisation.  

Organisations are generally best placed to address SARs by implementing and training staff and service providers on policies and procedures. Further, as the digital age extends beyond the traditional forms of communication, it is important to ensure these policies include social media. Where a third party manages a social media account on their behalf, organisations should ensure that there are necessary controls built into contracts so that SARs are quickly identified and the right actions are taken by the third party.

Craig Fyfer | Senior Associate | PwC - UK
[email protected]  | +44 (0) 17 2789 2316

More articles by Craig Fyfer