In the eye of a DSAR storm — Data Subject Access Requests in Consumer Activism

The current consumer campaign in relation to motor finance providers who operated discretionary commission arrangements with sales intermediaries, is the latest in a series of this type of campaigns. When an aspect of your industry or business becomes the focus of a consumer campaign, like the one we are seeing develop, you may face a significant increase in the volume of data subject access requests (“DSARs”). This can place a significant burden on staff, resourcing and carry  risk relating to a lack of timely compliance or errors in handling/disclosing information. Some organisations may be in a position to easily scale-up a well-oiled internal process, others may find this a real challenge juggling business as usual in addition to a surge in requests.

Key Considerations

Handling DSARs can require careful consideration of a range of digital and paper based information and documentation and the assessment of the rights of the requester and other persons identified in the information held. It may be necessary to consider a range of potential exemptions which mean information should not be provided to the requester. A lack of familiarity with the relevant rules and exemptions can make this challenging.

If your business is a regulated firm, you will also need to consider the requirements of your regulator. For example, if you are a business regulated by the Financial Conduct Authority (“FCA”) you will also need to consider your obligations under the regulatory system. This includes compliance with the FCA’s principles for businesses, the consumer duty and possibly the FCA’s complaints handling requirements contained in its DISP rulebook. While a DSAR is usually a request for information and is not a complaint, as there is no prescribed format for customers to use when making the request, it is possible for a customer to include various requests and matters in one communication to your business. This means that once a request is received it should be carefully checked to ensure that all matters stated in it are appropriately filtered to be dealt with in compliance with relevant legal and regulatory requirements. 

Where DSARs are received as part of consumer campaign, there may be opportunities to streamline your process and leverage the fact that requests relate to the same type of records. It may be possible to establish a context specific set of rules which can be applied to each request to allow more easily for additional staff to be brought in to support the existing DSAR team.

Adopting such an approach at scale makes it all the more important to ensure that the context specific rules are accurate and appropriate. You need to mitigate the risk of simply scaling up errors because of a lack of understanding of the rules.

An efficient system will help with timely and appropriate compliance and will reduce key risks including disclosures to requesters whose identity has not been adequately confirmed, disclosures to the wrong requester, incomplete or excessive disclosures, late disclosure or missed requests. In turn, that will mitigate the risk of complaints to the Information Commissioners Office and the risk of requesters bringing claims for damages for lack of compliance.

The DSAR process will need to be overseen by suitably senior members of staff with an appropriate understanding of the process and the relevant rules. Staff handling the Subject Access Requests need to know what is required to check/confirm the requester’s identity, clarify what the request is, check if it is legitimate and where to look/search on your systems to identify relevant material. They should have an understanding of the type of material which a requester’s file is likely to contain and which elements of that material are readily disclosable and which will require careful consideration to avoid adversely affecting the rights of other. They should understand the role of redaction and be properly instructed in using an appropriate redaction tool to ensure that any redactions are effective, not illusionary. They will need to be familiar with the appropriate checks which need to be conducted before the material is sent out to the requester. You will also need a process for logging and acknowledging requests and tracking their progress to ensure they are managed in a timely manner.

DSARs must be fulfilled “without undue delay” and, at the latest, within one month of receipt of the request. Where requests are complex or numerous, it may be possible to extend the deadline to three months, but you must still respond to the request within a month and explain why the extension is necessary. The format in which the requester’s information is to be given will also be important to consider, as well as giving the data subject information on their rights.

Keeping a detailed record of requests made will also be important not just for FCA regulated firms to help with evidencing their compliance with regulatory requirements, including the consumer duty, but also for internal audit purposes and for assessing performance in the handling of the requests. 

How we can help

Organisations will have different levels of maturity in their DSAR handling and some will be well equipped to deal with such requests. However, for many organisations this may be the first real test of your DSAR handling capabilities. We are here to help by undertaking a ‘health check’ on your current procedures and advising you on streamlining your process for a particular context. Where necessary we can assist by taking on more of the day-to-day burden of document review, consideration and application of exemptions and redactions, and finalising material for disclosure.

Key contacts

Stewart Duffy

Legal Director

StewartD@Cyxcel.com

Jill Dalkin

Legal Director

JillD@Cyxcel.com