Prior to the GDPR coming into effect in May 2018, there was widespread speculation regarding the impact of the new rights to be forgotten and data portability. However, as we approach the one year anniversary of the GDPR, it is not these new rights that our clients tell us are causing concern.
For most, it is the significant increase in subject access requests (SARs) that is proving problematic. Thanks to the tidal wave of GDPR publicity, individuals have never been better informed about their right of access nor, with the withdrawal of the £10 SAR fee, more willing to use it.
Heightened awareness and free access have created a spike in demand which, coupled with a lack of guidance in relation to the updated rules around SARs, have left many businesses firefighting numerous SARs with little certainty as to whether their approach is fully compliant.
Two of the most common issues we encounter in practice are:
- Uncertainty around the time allowed for responding – Many organisations are relying on outdated guidance regarding the interpretation of “one month” that was published prior to the ICO issuing its formal guidance. Others are putting themselves in breach by routinely applying the two month extension period to all requests received or, conversely, putting unnecessary pressure on resources by failing to apply the extension where it may reasonably be used.
- Lack of understanding as to when a request can be refused – The GDPR allows an organisation to refuse to respond to a request or impose a fee where the request is manifestly unfounded or excessive (taking into account whether a request is repetitive) but what exactly is meant by “manifestly unfounded or excessive” and when does a request become repetitive? Whilst we are now familiar with the ICO’s internal guidance on the issue, the ICO has yet to publish any guidance and acknowledges that, in the absence of published guidance or case law, using the exception will carry an element of risk.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at April 2019.