· Comment

The weaponisation of data subject access requests

Data subject access requests (DSARs), often the responsibility of HR, are both costly and time consuming but the risk of being inundated is growing.

GDPR enables data subjects to request access to any personal data that an organisation might hold on them. However, demands are increasing.

A study from the The DPO Centre found six million adults had considered submitting a DSAR.

Personal data and access requests:

HR professionals must prepare themselves for a spike in data subject access requests

Tricky areas of GDPR compliance

Employees don't trust organisations enough to share personal data

The pandemic, too, saw an influx of pre-litigation DSARs to support employment tribunals owing to a rise in redundancies. A survey of 460 UK-based DPOs from the UK Data Protection Index revealed an average of 10.85 DSARs per month, peaking at 18.04 in December 2020 – a 66% increase.

DSARs must be actioned within 30 days unless an extension is sought, leaving firms scrambling to locate, identify and redact personal data and supplementary data that can go back years.

Research from Talend shows that more than half (58%) of GDPR-relevant companies failed to address DSARs within this timeframe and it is becoming common practice for companies to seek an extension, even though this adds to processing costs. 

Fulfilling a DSAR can be highly burdensome and costly.

Findings from The Data Privacy Group show that DSARs are costing UK businesses between £72,000 and £336,000 a year, with Gartner estimating a single DSAR can cost $1,400. 

It is not just genuine requests that companies are having to navigate, however. With no compunction to justify the request, DSARs are open to abuse.

Evidence is growing of DSARs being used disruptively. Blizzard Entertainment, for example, was swamped by DSARs by activists after it banned a customer who had supported the protests in Hong Kong.

In more malicious instances, there’s also the potential for cyber criminals to use the process to obtain personal data surreptitiously. 

There are also parties 'sneaking' DSAR requests (“Please tell me what data you have on me”) into longer correspondence in an attempt to trip up companies and establish a claim, and there have even been instances of extortion where a DSAR has been accompanied by "Give me £x and I will go away". Motivation is however irrelevant – the obligation on controllers still exists to respond. 

To help ease these administrative burdens of DSARs, the Information Commissioner’s Office carried out a consultation in March 2022 to determine if more guidance was needed on how companies should deal with unfounded or excessive requests.

However, there was no mention of how to deal with mass orchestrated requests.

Looking ahead, organisations that don’t have policies in place and legal governance over their data will struggle to meet the rising tide of DSARs and issues such as shadow IT can add complexity and delay. 

Treating a DSAR not reactively but proactively is key. By using data retention strategies and automated processes to do much of the groundwork, such as verifying requests, it’s possible to dramatically reduce processing times.

Any initial investment will quickly be repaid, as the organisation will be able to deal with requests within the 30-day timeframe. 

Ray Pathak is vice president of data privacy at Exterro