Navigating the Rise in Data Subject Access Requests

Quick Hits

• Implementing an internal process for managing individual rights requests will be key to organizations remaining compliant with applicable data protection laws and managing compliance costs.
• The role of artificial intelligence and individual rights may lead to organizations undertaking excessive, unnecessary, and costly work when responding to requests.
• Organizations that fail to respond to DSARs continue to be actively investigated and penalized by regulators in the EU, the UK, and other jurisdictions.

The current global economic climate has led to a rise in redundancies, and this appears to be prompting former employees to exercise their individual data rights. There has been a marked uptick across Europe in DSAR submissions—or requests to exercise the right for individuals to obtain copies of the information an organization has relating to them. Organizations are faced with dealing with this legal challenge, in many cases for the first time, and en masse. DSARs are also becoming increasingly comprehensive, with requests frequently requiring employers, and organizations in general, to search for, capture, and review all personal information being processed across their often complex digital ecosystems. This trend is likely to continue as economic conditions remain volatile and as individuals become increasingly knowledgeable about their individual data rights, which is in part due to increased data protection activism in the European Union, media coverage, and educational awareness around data privacy.

It also appears that artificial intelligence (AI) tools are being used by individuals to draft their DSARs. Although AI can generate requests that are comprehensive, well-written, and seemingly credible, these requests often include imperfect interpretations of legal requirements, including the applicability of these requirements in a particular context, as well as sometimes confusing circular descriptions; arguably, common traits of AI-generated content that has not undergone human review. This use of AI presents challenges for organizations, and organizations may want to note these when managing DSARs. An organization aiming to be compliant with a DSAR without challenging the accuracy of the request, might end up providing information that is outside of the parameters of the request, disclose commercially sensitive information that it might otherwise withhold, or indeed disclose information it is not legally permitted to disclose such as the personal data relating to other employees.

To effectively respond to the increasing volume and complexity of DSARs, organizations may want to consider the following steps:

• Developing and implementing a DSAR response process for handling requests that is both comprehensive and easily operational. Consider including in this process clear procedures for identifying, retrieving, and reviewing personal data.
• Undertaking a data-mapping exercise, if this has not already been done, to identify where personal data is processed across an organization’s operations and what systems are involved. This will enable the DSAR response team to easily contact the relevant team or person when a DSAR is received, and to coordinate the quick capture of personal data.
• Ensure the organization is familiar with, or capable of quickly finding out, applicable data protection laws and legal timeframes. This can help minimize the risk of repeat DSARs, complaints to supervisory authorities, and potential regulatory fines.

The rise in DSAR activity and increased data rights awareness presents significant challenges for organizations. By establishing a comprehensive and efficient method for responding to these requests, organizations can ensure compliance with data protection laws and mitigate commercial and reputational risks, including reducing compliance costs, business disruption, risk of regulatory scrutiny, and reputational damage.

In addition, organizations may want to verify, using proportionate means, the identity of requestors, consider whether the existence of a DSAR should be reported to other teams in the organization as a wider employment issue, and ensure they remind individuals of their rights regarding their personal data including their right to lodge a complaint with the relevant data protection authority.

Organizations may want to assess their current approach or implement a new process to manage individual rights requests to ensure they are identifying these requests when they are being made, undertaking searches for information to the extent they are legally complied with and in a commercially sensible way, and meeting all applicable legal deadlines.

Failure to comply with up-to-date data protection laws and rules regarding individual rights can lead to commercial and reputational damage. If appropriate measures are not taken, corrective sanctions can be assessed such as significant financial penalties.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and provide updates on the Cross-Border and Cybersecurity and Privacy blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts