Dramatic rise in Data Subject Access Requests costing Sussex businesses millions

The business has witnessed a significant rise in DSARs across most industry sectors, with organisations of all sizes across Sussex being affected. Many requests are believed to be being made as a fishing expedition to see what data an employer has to disclose, the Group has warned.

Loch Associates Group, with offices in Susex, Kent and London, found that the Information Commissioners Office (ICO), which handles complaints raised in relation to DSARs, witnessed an alarming increase of 23% from April 2022 to March 2023, with almost 16,000 complaints relating to DSARs compared to 13,000 for the same period the year prior.

Joe Milner, a Partner and Solicitor Advocate with Loch Associates Group, said: “Based on the ICO figures and the average cost being £20,000, this is costing organisations £320m a year. However, we think this is just the tip of the iceberg, as the ICO won’t have records for all DSARs that are made. The ICO will only have access to complaints being made to the ICO due to alleged breaches of the legislation governing them.”

“We anticipate the number of DSARs will continue to increase and businesses should act quicky to have processes and training in place”, added Joe.

DSARs allow an individual to ask an organisation for what personal information it holds on them and was introduced under the Data Protection Act 1998. By all accounts, their use has exploded in recent years, with individuals becoming aware of this right by social media and the publicity around the GDPR (General Data Protection Regulations), which came into effect in 2018. This removed the ability for businesses to charge a fee for dealing with requests and reduced the deadline for responding from 40 days to a month.

Joe said: “DSARs have become an increasingly common tool – some would say weapon – used by individuals in dispute with organisations. They have become standard when employees are in dispute with their employer and are looking for a ‘smoking gun’ that they can use in negotiations or in an Employment Tribunal, should it come to that.

The demands placed on organisations are considerable – just the initial process of identifying all the data held in respect of an individual can take weeks out of the one-month period for responding.”

Joe added that award-winning Loch Associates Group has also witnessed an increase in costs relating to DSARs, due to the considerable hours required to process a request. Each request requires correspondence with the individual, arranging IT searches of data held, often resulting in reviewing potentially thousands of documents, then redacting or excluding information that is privileged, relates to third parties or falls under another exemption. Then the response to the individual has to be prepared. For the most part, this whole process must take place within one month of receipt.

Joe highlighted that increased redundancies and downsizing has led to an uptick in DSARs as employment-employee relationships break down.

“Many DSARs are presented as broad requests for ‘all of [their] personal data’, which is often a huge task because employers tend to retain more information than they need to. In addition, social media messages, WhatsApp messages and texts relating to the employee are all disclosable.

All of this can be tricky, time-consuming and costly. They also impact other data subjects, which may not be fully appreciated by everyone. It is difficult to see a resolution to the challenges - as more DSARs are received, businesses may find it harder to respond within the one-month timeframe, and those making the requests are likely to be frustrated by any delays or perceived failures, which may lead to more complaints,” said Joe.

However, Joe stressed that it is possible to anticipate the likelihood of DSARs, plan the process and manage the risks. In particular, organisations should be doing data protection audits to reduce the amount of information they retain and comply with the data protection legislation.

“Training staff and having processes in place are paramount. Record keeping protocol and making sure you only retain relevant information; basically, ensure you cleanse old data. Also, removing documents and information that they don’t need to keep. There are cost savings here too as it costs money to store information.”

Loch Associates Group offers a DSAR service, together with data protection audits to help organisations put processes in place for the purpose of data protection, as well as ensuring that new data is collected, processed and stored securely.