Following the implementation of the General Data Protection Regulation (GDPR) in 2018, there has been a huge increase in the number of data subject access requests made to banks and other firms.
Whether this is an intended or unintended consequence of the regulation is a moot point. The fact is that companies are having to devote unprecedented resources – both in terms of staff time and financial cost – to understanding the new requirements and fulfilling their obligations.
In the following interview with Arab Banker, Gareth Oldale identifies priorities for banks when they receive data subject access requests.
The GDPR also made changes to the rights that people have in respect of data that has been collected about them. Under the old Data Protection Act, people had, for many years, been able to demand to see data held on them in electronic form. The GDPR brought in additional rights related, for example, to data portability and the right to erasure of personal data (the so-called “right to be forgotten”), but its biggest impact has come from the way the GDPR makes people’s rights clearer and easier to enforce.
The most evident effect of these enhanced rights has been a huge increase in the number of data subject access requests (DSARs).
Firms used to be able to charge £10 for handling a DSAR, which wasn’t a lot, but it was enough to make some people stop and think, especially if they were planning to submit multiple requests. Under the GDPR, organisations can no longer charge for processing the request, unless there are exceptional circumstances (e.g. if the request is manifestly unfounded or excessive).
Another change under the GDPR is that the time that firms have to respond to a data request has been reduced to one month from 40 days. Whilst this time period can occasionally be extended by a further two months, to make three months in total, the circumstances in which the extension can be applied are extremely limited.
There is also a general trend for plaintiffs to use DSARs as a litigation tool – they have always been able to do so but making a DSAR is now much more routine. In particular, post-GDPR there has been a surge in claims management companies (CMCs) acting on behalf of large groups of individuals, for example following large scale data breaches. CMCs now regularly submit bulk DSARs on behalf of their clients, meaning that banks can find themselves with an influx of several hundred complex DSARs all arriving on the same date from a CMC, and all requiring a response within a month. Requests of this nature require a huge amount of resource, in order to respond to the DSARs within the statutory time period.
I think what has really changed over the last couple of years is that people are more aware of their data rights than in the past, as a result of the publicity around GDPR implementation.
All of the above factors, when taken together, mean that organisations now come under far greater pressure when responding to DSARs. The number and complexity of DSARs has gone up, the time for responding to them has gone down, and the penalties for transgressing the GDPR have increased significantly – including fines of up to €20million or 4% of annual worldwide turnover for the most serious breaches.
By their very nature, DSARs often occur in an adversarial context. For example, DSARs are routinely issued by employees who have been dismissed or made redundant, or when there has been a data breach and people are considering a claim or class action against the firm responsible.
Sometimes we see DSARs submitted by bank customers who are aggrieved that they have been refused a loan or had an account opening request rejected, and they want to use a DSAR to find out why.
DSARs cannot be ignored. Data controllers have a statutory obligation to respond to requests of this nature and failure to do so could lead to enforcement action, including potentially very large fines in the most serious cases.
Whilst DSARs cannot be ignored, there are various exemptions which could apply, depending on the circumstances in each case. For example, personal data relating to a third party should not normally be disclosed. Similarly, where legal professional privilege applies, any personal data contained within those documents would likely be exempt from disclosure.
More generally, DSARs can also be rejected if they are found to be ‘manifestly unfounded or excessive’. So, if a company is confident that it can show that a request is rooted in a personal grudge or is being used to harass an organisation, then it could have grounds for refusing to comply because the request is ‘manifestly unfounded.’ As for ‘excessive’ – that might, for example, encompass a series of requests for the same data made over a short span of time.
However, firms should bear in mind that the GDPR’s focus is on protecting individuals rather than firms, so they should be very sure of their ground, and take legal advice, before refusing to comply with a DSAR. Both the courts and the Information Commissioners’ Office (ICO – the regulator) have made clear that they will take narrow interpretations of the law when considering exceptions to DSAR rights under the GDPR.
The first thing to do is to try to work with the person who has issued the request to find out what they want. Unless the request is a malicious attempt to cause the company as much inconvenience as possible, the person requesting probably does not want to have to wade through tens of thousands of emails any more than the company does. So, an approach that says, ‘Let’s work together to get you what you want’ can often be effective.
But if a company has to comply with the request – and in the vast majority of cases, it does – then the company must undertake a search that is ‘reasonable and proportionate’. In practice, in the case of a very wide DSAR (e.g. ‘give me a copy of all personal data that you hold on me’) that is going to entail reviewing emails of everyone with whom the requester has had contact, and messages between that person and others that are stored on work phones, including social media applications such as WhatsApp. That is a huge task.
Having said that, the fact that a requester is mentioned in a document does not in itself mean that that document constitutes ‘personal data’ that must be disclosed. In order for information to constitute personal data, it must do more than simply identify the individual – it must concern them in some way. The courts have made clear that the purpose of DSARs is to enable a requester to check whether the data controller’s processing of their personal data has unlawfully infringed their privacy – a DSAR is not an automatic ‘key’ to any information in which the requester may be named or involved.
The burden of responding to a DSAR is widened by the need to redact information that is confidential to other individuals, or which comprises information relating to the company’s general commercial activities. For example, if an email contains three paragraphs of text setting out the terms of a new loan facility, one paragraph containing personal data relating to a third party loan applicant and then a final paragraph relating to the individual who has submitted the DSAR, it is likely to be the case that only the final paragraph of the email should be disclosed in response to the DSAR. Attention therefore needs to be given to ensuring that only information which should be disclosed, is disclosed, especially where documents contain information relating to more than one individual.
We have advised organisations on a number of data breach claims recently where one individual has submitted a DSAR, and has then received personal data relating to a third party in error. This usually happens because insufficient time is spent reviewing the documents before issuing a response to the DSAR. It is an issue which can be easily avoided by applying greater diligence to the DSAR review process.
CCTV is another area of particular concern. The regulator has made clear that CCTV falls within the scope of the GDPR so, for example, if a customer is captured on a CCTV camera in a banking hall, that might need to be disclosed in response to a DSAR. However, the identities of other people in the CCTV footage would first need to be obscured (unless they had consented to their personal data being shared with the person submitting the DSAR), for example by pixilating their faces.
At TLT we have electronic tools that can conduct these searches of vast data sets, and help to make the redactions more efficiently, according to a set of criteria established by the company responding to the DSAR. It is not only quicker and cheaper than using staff to handle the whole request, but it is also more reliable.
As the number of DSARs increases, firms are not only eager to find technology-based solutions, but in many cases they are also keen to outsource the DSAR response process so as to minimise the disruption to their businesses.
Electronic searches and other technological tools cannot completely replace human involvement, but they can conduct a lot of the ‘early stage’ work and so enable human intervention to begin at a later stage in the process, when it can add more value, for example, by ensuring that search criteria have been properly set, or ensuring that alternative names used by the plaintiff have been searched.
As a result of the Covid-19 outbreak, we are all now painfully aware that our staff are vulnerable to viruses, not just our computer systems. All firms are now looking for tools to automate processes as a way of enhancing their reliability – it is not just a question of cost savings, although those are significant.
Running a computer-based response to a DSAR is also much quicker than using human staff. For example, the technology tools can quickly de-duplicate long threads of emails, which can significantly reduce the number of documents requiring human intervention. As such, although a technological solution cannot be a substitute for all human involvement, it will certainly reduce the level of dependency on human staff.
The ICO issued a statement on 15 April in which it recognised that, as a result of the Covid-19 outbreak, organisations are facing staff and operating capacity shortages, some firms have had to re-deploy staff, and many organisations are facing financial pressures. The ICO said that, as a result, it would take pragmatic and proportionate approaches to its regulation during the Covid-19 emergency, recognising, for example, that it might take firms longer to respond to data requests. The ICO also said that it would take into account that a shortage of resources could be a mitigating factor in any data breach by a regulated firm.
This is not to say that firms now have free rein to ignore GDPR requirements when handling DSARs. The ICO has also confirmed that the statutory time periods for responding to DSARs (and data breaches) remain unchanged. It is more that the ICO will take into account difficulties faced by organisations resulting from the Covid-19 pandemic if it receives complaints from individuals of delays by those organisations in responding to DSARs. To put it another way, the rules have not changed, but the ICO’s approach to regulating infringements of those rules has been temporarily altered.
As we emerge from the crisis, we would certainly not advise firms to assume that the ICO will continue to take a lenient approach going forward.
This article was first published in the 2020 issue of Arab Banker.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.