Why data subject access requests have become more common under the GDPR

There has been a huge increase in the number of DSARs (data subject access requests) submitted in the past year. That shouldn’t be a surprise, given that the spike correlates with the GDPR (General Data Protection Regulation) taking effect.

But why exactly has the GDPR caused everyone to rush off to find out what information organisations store on them? Let’s take a look at some of the biggest factors:

1. Individuals are more aware of their rights

Individuals have always been able to view information that organisations keep on them. Before the GDPR, they could do this with an SAR (subject access request), but the GDPR tweaked the name and the way they work, and made people more aware of their rights.

This is one of the major benefits of the Regulation’s much-publicised disciplinary powers. It raised the stakes for effective cyber security and data privacy, leading to widespread discussions of the GDPR’s requirements and the rights it enshrined.

This links to the second reason that DSARs are occurring more regularly.

2. Individuals are more concerned about data privacy

The introduction of the GDPR reflects growing public worries over the way organisations use their data.

The likes of Facebook have been repeatedly entangled in data privacy issues, and many individuals have submitted DSARs to see what data of theirs is at risk and whether they should follow the right to access with the right to be forgotten.

By invoking the right to be forgotten, organisations must permanently erase any data they store on the individual unless the data is necessary for one of several purposes.

Individuals also have the right to restrict processing, whereby the organisation must limit the way it uses personal data.

It’s an alternative to requesting the erasure of personal data, and might be used when an individual contests the accuracy of their personal data or when they no longer need the information but the organisation requires it to establish, exercise or defend a legal claim.

Failing to respond to a DSAR could lead to legal action >>

3. Individuals are more curious

Individuals might not have a legitimate concern over the way an organisation processes their data but submit a DSAR out of curiosity.

Their intrigue might stem from wanting to see what information the organisation has and what it’s being used for. Alternatively, they might submit a DSAR to get involved with the GDPR and see how their rights work in practice.

Meanwhile, some access requests have come from individuals who want to test organisations’ compliance status. In the run-up to the GPDR taking effect, the Financial Times reported that Facebook and Amazon failed to respond to DSARs adequately.

If those organisations are still non-compliant, the person submitting the request can file a complaint, leading to an investigation from the ICO (Information Commissioner’s Office).

4. Organisations can no longer charge fees for DSARs

The GDPR has scrapped the £10 fee that organisations could charge to fulfil a DSAR. Some people were happy to pay this sum in order to review the way their data was being processed, but it was enough to dissuade many.

With that obstacle now removed, anyone can exercise their rights with minimal fuss.

The only times organisations can charge a fee are if DSARs are “manifestly unfounded, excessive or repetitive”. However, given that there isn’t any guidance on what fits these criteria, organisations will be cautious about using them.

Want help with DSARs?

Responding to a DSAR can be fraught with complications. Verifying the data subject’s identity, getting third-party permission, converting the information into an accessible format and responding within the deadline are all tough tasks, and failure to meet any of them constitutes a violation of the GDPR.

Our DSAR as a Service package removes the worries, as our experts take the reins and liaise with individuals to ensure you meet all your access request requirements.

Find out more >>

No Responses