The hidden cost of GDPR data access requests

UK businesses are spending £1.59 million and 24 person-years annually on processing data subject access requests in compliance with Article 15 of GDPR, according to a new study commissioned by privacy specialist Guardum.

Data Subject Access Requests (DSARs) require data controllers to provide data subjects with a copy of their personal data within 30 days, or risk a fine of €20 million or four percent of turnover.

The study, conducted by Sapio Research among 100 data protection officers DPOs from companies with 250 or more employees, also highlights the challenges of maintaining compliance during lockdown. 75 percent of DPOs polled admit struggling to meet data compliance obligations while working remotely and 30 percent fear they will be overwhelmed by a post-pandemic DSAR storm fuelled by requests from furloughed or sacked employees. Three in five DPOs are fearful that they will not have the resources to deal with an uptick in requests following the return to work.

While people were able to request access to their data under the old Data Protection Act before GDPR came in, Darren Wray, CTO at Guardum says:

There has definitely been an increase and there are numerous reasons for this. The key driver was the GDPR awareness programme that was run by the ICO and the UK media in the run-up to May 2018.

Another what might seem like a minor point is that GDPR DSARs are now free, prior to the Data Protection Act 2018 there was a nominal fee that could be charged by organisations and this put people off from applying.

There has also been a marked change in the way that lawyers are using DSARs as part of the data discovery process. This wasn't unheard of in the past but it seems to be the default starting position now for almost any HR type process.

Fulfilling DSARs can involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud. In 63 percent of cases this involves a combination of manual and automated processes. On average DPOs receive 27 DSARs per month, each costing £4,884.53 per request and taking 66 working hours to process, consuming around 30 percent of their working day. It is hardly surprising therefore that investment in automating the DSAR process is top of the DPO wish list.

"This research graphically illustrates the huge burden that data privacy professionals are shouldering to maintain data compliance," says Rob Westmacott, co-founder of Guardum. "The Covid-19 pandemic has tipped an already dire situation into a potential melting pot of requests, with fears that the return to work and the ensuing post-mortem by furloughed and sacked workers will overwhelm data compliance teams."

The full results of the survey are available on the Guardum website.

Photo credit: docstockmedia / Shutterstock