The Ever Increasing Demands of the Regulator
December 11, 2019
Clarifying DSAR Requests; a subtle but important change
On 4 December 2019 the Information Commissioner's Office (the “ICO”) confirmed it had begun consultation on its draft right of access guidance (“DSAR Guidance”). The DSAR Guidance is intended to build upon existing guidance provided by the ICO, setting out further detail as to the various aspects of this right. This includes explaining how organisations can manage and respond to such requests and what exemptions may apply.
Whilst the DSAR Guidance is welcomed, there does appear to be a noticeable change in approach by the ICO with respect to a particular aspect of Subject Access Requests. This concerns when the one month period for responding to a Subject Access Request begins, where a Data Controller wishes to clarify a request.
What is a Subject Access Request?
The right of access is one of the key rights available to individuals, and is set out in Article 15 of the General Data Protection Regulation (the “GDPR”). This right of access allows individuals to ask how their personal data is being used to and request a copy of it.
Article 12 of the GDPR confirms that Data Controllers must provide the requested information to the individual without undue delay and in any event within one month of receipt of the request.
What has changed - ICO Website?
Looking at a snapshot of the ICO website form 1 October 2019, the following guidance was provided for a Data Controller looking to clarify a Subject Access Request:
If you process a large amount of information about an individual you can ask them for more information to clarify their request. You should only ask for information that you reasonably need to find the personal data covered by the request.
You need to let the individual know as soon as possible that you need more information from them before responding to their request. The period for responding to the request begins when you receive the additional information. However, if an individual refuses to provide any additional information, you must still endeavour to comply with their request ie by making reasonable searches for the information covered by the request.
However, upon visiting the same page on the ICO’s website the following guidance is now provided (as of 4 December 2019):
If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding - you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests (see ‘Can we extend the time for a response?’).
You cannot ask the requester to narrow the scope of their request, but you can ask them to provide additional details that will help you locate the requested information, such as the context in which their information may have been processed and the likely dates when processing occurred. However, a requester is entitled to ask for ‘all the information you hold’ about them. If an individual refuses to provide any additional information or does not respond to you, you must still comply with their request by making reasonable searches for the information covered by the request. The time limit is not paused whilst you wait for a response, so you should begin searching for information as soon as possible. You should ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently.
This change in approach and wording is also reflected in the DSAR Guidance when compared to the ICO’s 2017 “SAR Code of Practice”.
As highlighted in bold above, the one month period in which a Data Controller must respond to a Subject Access Request will now begin when a Subject Access Request is first received, regardless of whether that Data Controller would wish to clarify that request.
Consequences of this DSAR Guidance
This updated approach is a subtle, but important change by the ICO reinforcing the idea that, one and a half years after the GDPR came into force, it is not acceptable for Data Controllers to lack a complete view of what and where personal data is being processed.
Whilst this new DSAR Guidance does not change the fact that it is important for Data Controllers (and their Data Processors) to be in a position to provide a quick response to Subject Access Requests, the period in which a Data Controller can provide a response is likely to be even shorter than before.
This approach could also have potentially unintended consequences, where Data Controllers may no longer ask for clarification once they receive a Subject Access Request and instead progress such a request immediately by only undertaking “reasonable searches”, thereby placing more of an onus on the individual to be clear with their request.
The ICO does not elaborate on what would be considered a “reasonable search” and this could have the potential to be interpreted subjectively by different Data Controllers, should this not be elaborated on during the consultation of the DSAR Guidance.
The ICO’s consultation closes on 12 February 2020. You can find details as to how to submit a response on the ICO website.
How can PwC help?
As with all matters relating to compliance, the best approach is to put in processes and governance designed to ensure such requests can be responded to as quickly and easily as possible. This DSAR Guidance highlights the need to manage such requests as promptly as possible.
PwC has a range of tools designed to help an organisation understand where gaps may be found in their processes and a team of subject matter experts that can provide advice tailored to best address your organization's needs. For further information on how PwC’s Data Protection Team can help you manage Data Subject Rights Requests, please contact myself or Polly Ralph.
We also host monthly Data Protection Bootcamps, if you’re interested please sign up to attend.
Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)  OJ L119/1