Data subject access requests ‘weaponised’, says law firm Collyer Bristow
Businesses are seeing a dramatic increase in coordinated data subject access requests, or DSARs, as disgruntled customers seek to ‘tie businesses in knots’, says data privacy law firm Collyer Bristow.
Patrick Wheeler, partner and head of data privacy at Collyer Bristow explains: “DSARs allow an individual to ask any organisation to provide copies of all of the data they hold about that individual. DSARs have steadily increased since 2018 when the £10 fee was abolished.
“But now, as businesses hold more data on individuals and those individuals increasingly understand the importance of that data, DSARs are being used by disgruntled customers in a coordinated way to deliberately tie a business in knots. DSARs are being weaponised.
“Businesses are being simultaneously flooded with DSARs by individuals who recognise that these requests take time and money to action. They are being driven by coordinated groups of individuals who are unhappy with the way a business operates.
“Under the UK GDPR regulations, organisations have just 30 days to respond to a DSAR, in most cases. Organisations must provide copies of all data that is held on that individual. Often, that will mean providing copies of documents that first have to be redacted to remove any references to other individuals. That document appraisal process is rarely automated.
“When facing large numbers of DSARs over a sustained period this, understandably, consumes an extraordinary amount of management time and money.
“Businesses cannot afford to ignore these requests even when they believe them to be vexatious. A failure to respond or an unexplained delay can result in regulatory enforcement action being taken by the Information Commissioner’s Office. DSARs can only be challenged on very narrow grounds, such as repeated requests being made by the same individual.
“Excluded information is confined to a short list of specific exemptions which are narrowly defined, such as legal professional privilege, child abuse data, and data which if disclosed could prejudice a criminal investigation.
“DSARs play a valuable role in keeping businesses accountable for the data they hold and how it is used. It is a right that should not be eroded but at present, there is no accountability for individuals in how they choose to exercise that right. Unless an individual clearly states that their motive is other than to learn what data the business holds about them, that business cannot refuse to comply on the basis of speculation about the individual’s motives.
“DSARs were not designed to punish or frustrate organisations, but the balance is tilting in that direction and it is perhaps time to review the DSAR regime.”