UK data protection officers are bracing themselves for a flood of data subject access requests (DSARs) once the Covid-19 lockdown lifts, amid claims that it will tip “an already dire situation into a melting pot of requests”.
According to a new study by privacy specialist Guardum, UK businesses are already spending £1.59m and 24 “man years” each year processing DSARs to ensure they comply with Article 15 of GDPR.
The study, conducted by Sapio Research among 100 DPOs, from companies with 250 or more employees, also highlights the challenges of maintaining compliance during lockdown.
Three-quarters (75%) of DPOs polled admit struggling to meet data compliance obligations while working remotely and 30% fear they will be overwhelmed by a post-pandemic DSAR storm fuelled by requests from furloughed or sacked employees.
Although the UK Information Commissioner’s Office has vowed to take a more lenient approach to data requests, three in five DPOs are fearful that they will not have the resources to deal with an uptick in requests following the return to work.
Guardum chief technology officer Darren Wray said: “There has definitely been an increase and there are numerous reasons for this. The key driver was the GDPR awareness programme that was run by the ICO and the UK media in the run-up to May 2018.
“Another point is that, under GDPR, DSARs are now free, prior to the Data Protection Act 2018 there was a nominal fee that could be charged by organisations and this put people off from applying.
“There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process. This wasn’t unheard of in the past but it seems to be the default starting position now for almost any HR type process.”
Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud. In over three-fifths (63%) of cases this involves a combination of manual and automated processes.
Guardum claims that, on average, DPOs receive 27 DSARs per month, each costing £4,884.53 per request and taking 66 working hours to process, consuming around 30% of their working day.
Guardum co-founder Rob Westmacott added: “This research graphically illustrates the huge burden that data privacy professionals are shouldering to maintain data compliance.
“The Covid-19 pandemic has tipped an already dire situation into a potential melting pot of requests, with fears that the return to work and the ensuing post-mortem by furloughed and sacked workers will overwhelm data compliance teams.”
ICO pledges ‘light touch’ over coronavirus privacy fears
Brexit Party pummelled over backlog of data requests
Firms accused of handing out personal data willy-nilly
Met farce fuels data access request warning to brands
‘I don’t believe it’…young make most GDPR complaints