· News

Rise in data requests costing businesses millions

Social media messages, WhatsApp messages and texts relating to the employee are all disclosable under a DSAR

A rise in data subject access requests (DSARs) is costing businesses millions, according to research from HR and law group Loch Associates.

Employees may make a DSAR to find out what information an organisation holds on them, such as medical records or WhatsApp messages about them.

A response must be issued within 30 days, and all data must be supplied.

The average individual DSAR costs an SME £20,000.

The Information Commissioner's Office (ICO), which handles DSAR complaints, witnessed a 23% increase in complaints from April 2022 to March 2023.

Read more: The weaponisation of data subject access requests

Joe Milner, partner with Loch Associates Group, said the actual increase in DSARs will be greater, as the ICO only has access to the number of complaints.

He told HR magazine: “More individuals have become aware of using DSARs as a tool – some would say a weapon – to support them in their disputes with organisations, often using it as a ‘fishing expedition'.

“Raising a DSAR is now often considered a default option for individuals who are looking to negotiate an exit package or to negotiate a settlement from a more informed position.”

Milner said that the introduction of GDPR created greater awareness around data protection rights.

He said: “Since the introduction of GDPR in 2018, we are all reminded of our data protection rights daily, whether it’s a data processing pop-up on a website, signing a privacy notice when we start a new role, or going through ‘data breach’ training as an employee.

“Recently, there has been more extensive coverage about DSARs specifically as it became known that Nigel Farage was able to establish the reasons why his NatWest Bank account was closed via a DSAR.”

In July, former UKIP leader Farage used information from a DSAR to claim that private bank Coutts had not closed his account because he no longer met its financial threshold, as Coutts had told him, but rather because Farage’s political views did not align with the bank’s values. 

Read more: How will you deal with the deluge of employee DSARs?

Gathering data within the 30-day limit can be a costly and time-consuming process, so employers must have processes clearly in place, Milner added.

He said: “Requests often result in reviewing potentially thousands of documents, then redacting or excluding information that is privileged, relates to third parties or falls under another exemption. Then the response to the individual has to be prepared.

“Training staff and having processes in place are paramount. Record keeping protocol and making sure you only retain relevant information; basically, ensure you cleanse old data. Also, removing documents and information that they don’t need to keep. There are cost savings here too as it costs money to store information.”