Legal Consequences: Failing to Respond to a Subject Access Request

Buckinghamshire-based housing developer Magnacrest has been fined for failing to respond to DSARs (data subject access requests), giving organisations a fresh reminder of the importance of the public’s legal rights to review the information that’s processed about them.

The investigation into Magnacrest predates the GDPR (General Data Protection Regulation), resulting in a relatively small fine. However, the ICO (Information Commissioner’s Office) has warned that such lenience won’t be granted in the future, as the Regulation strengthens individuals’ rights and the punishments that can be levied for neglecting them.

What is a DSAR?

Individuals can submit a request, either in writing or during a conversation, to receive a copy of the information an organisation holds on them. There are no specific rules for how such a DSAR must be made; individuals can simply say, for instance, “I’d like to see what personal data you have on me.”

Once an organisation has confirmed the identity of the application, it has one month to provide this information. Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.

If a DSAR is excessive, unfounded or repetitive, the organisation can reject it or charge a “reasonable fee” for the administrative costs of completing the request. Either way, they must explain what’s wrong with the request, and inform the individual of their right to appeal to the organisation’s supervisory authority.

What should a DSAR response contain?

  • The purposes of the processing.
  • The categories of personal data involved.
  • The recipients (or categories of recipients) to whom the personal data has been or will be disclosed.
  • The length of time the personal data will be stored for (or, if this is not possible, the criteria used to determine that period).
  • An explanation that the individual can object to the processing, request that the information be rectified or erased, or request the restriction of processing.
  • An explanation that the individual has the right to lodge a complaint with a supervisory authority.
  • Where the personal data has not been collected direct from the data subject, any available information about its source.
  • Any information regarding the existence of automated decision-making, including profiling. This should cover the logic behind the automation and the ways the processing will affect the individual.

Simplify your DSAR response process

A Talend report published in September 2018 found that only 30% of organisations are able to fulfil DSARs within the GDPR’s 30-day deadline.

This shows how difficult it is to maintain an effective DSAR process. Requests have increased substantially since the GDPR took effect, while the deadline to respond has decreased and the amount of information that must be provided has increased.

It’s no surprise, therefore, that many organisations are looking for help. The GDPR DSAR Support Service, provided by our sister company GRCI Law, is a perfect example of how you can simplify the process.

GRCI Law’s experienced data privacy lawyers and DPOs (data protection officers) will manage the process on your behalf to ensure that requests are completed in accordance with the GDPR’s requirements. This includes:

  • Reviewing and assessing the nature and validity of the DSAR;
  • Verifying the individual’s identity;
  • Locating the data;
  • Obtaining consent from third parties in instances where personal information is contained within search results and, where it is unobtainable, applying redactions and lawful exemptions;
  • Formally disclosing the information to the individual; and
  • Documenting the facts relating to the DSARs.

Find out more about the GDPR DSAR Support Service from GRCI Law >>

GRCI Law Ltd is a subsidiary of GRC International Group plc. They are a legal risk and compliance consultancy that specialises in data protection and privacy law, including the DPA (Data Protection Act) 2018 and the EU’s GDPR (General Data Protection Regulation), cyber and information security, and legal and compliance advisory services.

Learn more about DSARs

You can find out more about DSARs by reading A Concise Guide to Data Subject Access Requests.

This free guide helps you understand how DSARs fit into your organisation, explaining who should be responsible for fulfilling them, how they relate to the GDPR and the consequences of ignoring your obligations.

It also includes a visual guide to the DSAR response process to help you remember each step you must complete.

Download this guide >>