How to prevent DSAR complaint escalation

September 2024

Nearly forty thousand complaints were received by the Information Commissioner’s Office in the past year. Staggeringly, 39% of them concerned people’s Right of Access according to the ICO’s Annual Report 2023/24.

Handling Data Subject Access Requests (aka DSARs or SARs) can be fraught. Often those requesting a copy of their personal data are already disgruntled, be it an employee going through a grievance procedure or a dissatisfied customer.

This means requestees are often quick to react if the statutory deadline is missed. They may also closely scrutinise your response, looking for any mistakes or omissions. Or their solicitor will.

Any requestee has the potential to become dissatisfied and escalate matters to the ICO. More than a decade ago, I was handling a request and missed the deadline by 24 hours. Much to my frustration they’d had already fired off their complaint to the ICO, and this was pre-GDPR!

I know of many businesses who’ve received letters from the ICO following a DSAR complaint. These will usually ask you to address the issues raised directly with the individual – and quickly! However, if your organisation racks up too many ICO complaints, the regulator is likely to delve deeper. This delving has led to a number of ICO DSAR-related reprimands being issued.

Most recently, the Labour Party has been in the spotlight for ‘repeatedly failing to respond to people who asked what personal information the party held on them’. A backlog of requests mounted up after a cyber attack in October 2021, with the ICO receiving 150 complaints. During its investigation, the ICO discovered 78% of people had not received a response within the maximum extended timescale of three months and more than half were delayed by over a year. They also found an unmonitored ‘privacy inbox’ was overflowing with hundreds of DSAR and erasure requests – none of which received any form of response whatsoever.

Hopefully most organisations will avoid such a catalogue of problems, but it’s still worth remembering certain factors can prompt a spike in DSAR requests. In this case a cyber attack, but a non-cyber data breach could also create a surge. Similarly, a business restructure might prompt a rise in employee-related requests. And let’s not forget the random factor – like Mr Farage’s very public DSARs to NatWest, which not only led to NatWest getting an increase in requests, but reportedly had a knock-on effect on other banks too.

Here are my tips for getting on the front foot and mitigating the risk of complaint escalation.

6 golden rules for managing DSARs

1. Staff awareness & a sense of urgency

A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them (and other privacy rights, such as erasure), and know what to do if they receive or spot one. Failing to do so puts you on the back foot straight away.

Everyone needs to be aware time is of the essence, so training and clear guidance is essential. Refresh it too, with friendly reminders.

Quick checklist:

Individual privacy rights are covered in new starter and refresher training.
Ongoing awareness via posters, intranet posts, newsletters etc.
Specialist training for those involved in the process of fulfilling requests.

2. Robust procedure

A clear procedure which walks relevant staff through the key steps and considerations is invaluable, especially for times when key people aren’t available and someone else has to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on.

Without this, a lot of knowledge could walk out the door when a key person leaves the business or is not available in cases of long periods of absence like maternity or sickness leave.

3. Adequate resourcing

Businesses receiving a significant volume of requests are likely to have a dedicated person or team to handle them. They might also have sophisticated software to help speed up the process. But for those who have low or fluctuating volumes, it can be tricky to judge how many people need to understand the process and manage requests.

In my experience, often the one or two people who have to handle requests end up snowed under for weeks and completely distracted from their day jobs when a DSAR lands on their desk with an ominous thump.

What happens if your go-to DSAR person is not available? The clock is ticking. You also need to factor in how to handle any spike in requests – seen or unforeseen. Have you got other adequately trained staff, or alternative resources on standby to cover higher volumes?

There was a case in Belgium where the Data Protection Authority ruled the person who normally handled DSARs being on long-term absence was no excuse for a late response. I think the UK’s ICO would take a similar stance.

4. Assigned responsibilities

While one person or a team may have ultimate responsibility for managing DSARs and responding to them on time, it’s likely others across the business will need to support them. For example, your IT team may play a significant role in retrieving the data, or HR may need to be closely involved in an employee-related DSAR.

It helps to make sure it’s clear who’s responsible for retrieving the data, reviewing the data, applying exemptions, apply redactions, reviewing the response, approving it and sending it out securely.

5. Managing expectations and communicating

This is my personal favourite; quite often requestees don’t quite understand what a DSAR really entitles them to, so it pays to set out your stall from the start. Explain what the right is and what they can expect to receive. Tell them you have a duty to protect the privacy of others, that it’s not a right to documentation and that exemptions may apply.

Keep in touch with requestees, and dare I say it, even pick up the phone and talk things through. Confrontation can sometimes be defused – I’ve known of DSARs being withdrawn after a decent chat (and with no pressure whatsoever applied).

6. Polished response

A good covering letter can go a long way to satisfying the individual that you’ve made every effort to fulfil their request. This can for example explain;

The personal data being provided
Some of the internal processes (where appropriate)
Redactions have been applied to protect the privacy of others (if relevant)
Why an exemption has been applied (if relevant)
Legally necessary supplementary information, (or a link to a Privacy Notice if this covers matters sufficiently)

The above is by no means an exhaustive list and I’m a big fan of a template response letter which can be adapted as needed.

Finally, don’t forget to inform people about their privacy rights such as the right to object, erasure, rectification and access. Privacy notices should set out these rights, and it should be clear how people can submit a request. And of course, tell them they have the right to raise a complaint with the ICO (with fingers firmly crossed they don’t).

Check out our DSAR Guide for more tips on seeking clarification, retrieving the data, complex requests and applying redactions.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.