GDPR Subject Access Request Warning for All!

With the first full year of GDPR approaching rapidly, it appears that as we predicted the Information Commissioner’s Office (ICO) have started to direct some attention towards the lower level offences and start taking direct action where they see the opportunity.

Until now you could be forgiven for thinking that Data Protection fines have been restricted to the larger organisations and headline-grabbing misdemeanours. However, last week the ICO sent a shot across the bows to all organisations that is unlikely to make any headlines but has potentially wider reaching implications and demonstrates the intent of the ICO to pursue any organisation which may not be taking their data protection obligations seriously.

UK Company Fined for Ignoring Subject Access Request (SAR)

ENFORCEMENT DETAILS:

https://ico.org.uk/action-weve-taken/enforcement/magnacrest-limited/

SUMMARY: Magnacrest Ltd failed to comply with a Data Subject Access Request made by the Data Subject. The Data Subject complained to the ICO, who then issued an enforcement notice; which was also ignored. The ICO subsequently took the organisation to court, where they admitted liability and were consequently fined ￡300, with a ￡30 victim surcharge, and was ordered to pay ￡1,133.75 towards prosecution costs.

IMPACT: The ruling will have an impact on all UK data controllers and sectors.

REGULATIONS: Art. 15 - GDPR Right of access by the data subject

OBSERVATIONS: This incident dates back to April 2017; so more than a year before GDPR coming into effect and the outcome will have been restricted in line with the regulations at the time.

• The ICO are working through a large backlog of cases, who is to say there is not many more of these types of ‘open and shut’ cases ready to be initiated.
• This fine is liable to have been much less than could be the case under the GDPR and DPA 2018.

Magnacrest Ltd, a builder and developer, are not a large company, turning over an estimated ￡200K per year. They do not operate in a contentious field and very unlikely to process special categories of personal data.

• The ICO has shown that it is willing to undertake enforcement against all sizes of organisation and regardless of the business sector.
• The fact that the ICO has not restricted its target to one which processes large volumes or sensitive information should serve as a warning that no one is safe from potential investigation.

It has been well documented that the ICO has been tackling a large backlog of Data Subject’s complaints since the GDPR came into effect. However, it is clear from interactions we have had to date that processes and procedures have been put in place to rectify this and they are catching up.

• Templated enforcement letters are being sent from the ICO on a far more regular basis.
• Organisations are unlikely to be able to “hide” in the crowd, the ICO appears to be diligent in following up complaints.
• The ICO appear inclined to side with the Data Subject and happy to pursue redress on their behalf, and on multiple occasions if the data subject is not happy.
• The standard enforcement response period appears to be seven days from the date of sending.

OFFICIAL COMMENT: Mike Shaw, the ICO’s Criminal Enforcement Manager, said:

“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.

Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”

POINTS OF INTEREST: It is interesting to note that despite the judgement being made and the fact that there is liable to have been an extended lead up to the court case, that Magnacrest have still not seen fit to either register as a Data Controller with the ICO or to have added a privacy notice to the website.

• The ICO has already started actively fining organisations for not registering as a data controller where required. (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/ico-takes-action-for-failure-to-pay-new-data-protection-fee/)
• Checking whether organisations have the requisite notice is displayed on their website is a relatively easy task to automate and one where there is the potential for the ICO to start pursuing organisations en masse.

One of the key unknown risk areas is what the impact of such bad publicity will have on the reputation of an organisation.

• Only time will tell whether Magnacrest Ltd sees a negative business impact as a result of these findings. However it is unlikely to have had a positive effect!

RISKS: Assuming that the fine structure under the GDPR is pegged against organisational turnover (as described in GDPR) then organisations with a large turnover vs profit model may be carrying additional risk. Organisations such as builders may be operating on relatively small margins but have considerably larger turnovers. As such, there is the risk that inadequate controls and any subsequent fines could be disproportionate to the profit of an organisation which would be expected to pay the fine.

OUR FINDINGS: We have seen a marked rise in the number of Subject Access Requests being triggered by Data Subjects since May 2018, and this trend does not appear to be slowing. Many Data Subjects are flexing their data rights to inflict discomfort upon an organisation with which they have a dispute of some variety.

Unfortunately, in many cases, organisations are not suitably prepared to undertake a SAR effectively or correctly, and as a result, the request has exactly the desired effect.

It appears commonplace for Data Subjects to return to the ICO some times if they are not happy with the outcome of a SAR (regardless of whether data was provided) and we have not found a case yet where the ICO has not gone back to the organisation for clarification.

RECOMMENDATIONS:

1. Firstly it is clear that it is not advised to ignore one's data protection obligations, as was the case above. Understanding one’s obligations around Data Subject Access Requests is a relatively simple concept to grasp. All data controlling organisations would be advised to create simple processes to ensure that ALL requests are recorded and actioned properly. It is unlikely to be a painless operation but given the potential outcome (as demonstrated above) is effort well spent.
2. Article 15 of the GDPR is clear and concise as to the duties of an organisation to provide personal data to the Data Subject where requested.
3. We’ve seen a number of cases over the last six months where organisations have not applied the requisite amount of effort into finding a Data Subjects personal data and as a result have had ICO intervention, which has resulted in additional effort being expended to achieve the same original goal. We would all recommend that the “do it right, do it once” approach is taken.
4. Standard response times required by the ICO for enforcement appear to be seven days (calendar) from the date of sending. As such acting quickly internally to any ICO communication is critical and creating simple alerting processes to ensure that the right person within an organisation is made aware when any such communication arrives will reduce the risk of further ICO involvement.
5. When an ICO enforcement letter is sent, there will always be a dedicated caseworker allocated. We recommend that contact is made with them immediately on receipt and if required further clarification requested from them. All of the interactions we have had to date with ICO caseworkers have been positive, and we would highly recommend talking to them about the issue.
6. In line with the above making sure that the correct person within an organisation is made aware is critical, and as such having a data protection contact available within an organisation is equally as important.
7. Finally, even for those organisations which have a robust and mature SAR process, there are lessons to be learnt. Most organisations are likely to only hold the content of a SAR for a set period, in line with their data retention policy. Given the fact that the ICO are working through a backlog, it may be prudent to retain records (and potentially content) for a longer period to be able to respond accurately to any ICO requests.