Many experts anticipate global unemployment will exceed the 2008/09 financial crisis with the worst jobs market since the Great Depression. Within the UK alone, the unemployment rate might reach 8.5 percent or beyond.[1] Benefits claims have already hit 1.2 million since mid-March.[2] That’s eight times above normal levels.[3] Forecasters predict a 7.5% to 24% drop in the UK GDP for the second quarter.[4]

I believe that Coronavirus’s impact on the labour market will cause a significant rise in Data Subject Access Requests (“DSARs” or “Requests”) for UK and EU businesses subject to the General Data Privacy Regulations (“GDPR”), which also includes non-UK/EU companies doing business in the region.

Businesses are responding to the Coronavirus by adjusting operations for today’s environment, reducing costs, or both. A cost reduction mandate means redundancies.

Whatever the reason—a seasonal lull, failing to meet expectations, a burst bubble, a terrorist attack, a global pandemic—labour force reductions weigh heavy on the hearts and minds of executives. But this is the reality, as evidenced by the flood of headlines on redundancies. Sectors like Tourism & Leisure and Accommodations & Food have been hit especially hard.[5]

What does Coronavirus have to do with DSARs?

Much has been said about DSARs’ use as expedited discovery or disclosure. It can often take close to a year or longer to obtain files through court or administrative proceedings. But the DSAR 30-day deadline, even with the two-month extension for complex or numerous Requests, offers a shortcut.

This is highly convenient in the context of an aggrieved former employee who submits a DSAR in order to find information to support a legal employment action against the business. But this does represent a burden on the business. Indeed, to limit this burden in California, the Legislature is considering amending the California Consumer Privacy Act (“CCPA”) to prevent the CCPA’s use for this purpose.

Businesses subject to GDPR, however, must accept and manage the risk. The Information Commissioner’s Office (“ICO”) and established case law tells us that the Subject’s purpose in submitting a DSAR is immaterial.

A more recent and more interesting development is the ICO’s response to the query: What happens to timelines during COVID-19? To this, the ICO has said they “won’t penalise organisations” that must adjust usual practices during these extraordinary times.[6] The ICO also put individuals on notice that, “they may experience understandable delays when making information rights requests during the pandemic.”

Does this mean businesses can ignore DSARs for the upcoming months? No. Does this mean businesses have a year to respond to DSARs? Not likely. How a business does respond will be informed by its circumstances. Demonstrating reasonable efforts, in the context of these times, will be key for the ICO.

A record level of redundancies and a precedent of DSAR-use by aggrieved former employees are the basis for my view that businesses subject to the GDPR should anticipate a high volumes DSARs. So, the question becomes, what to actually do?

I suggest the following:

  1. Consider intake, validation, and tracking technology to manage the higher volumes of DSARs.
  2. Perform data mapping and planning. Sourcing the data is a real burden for IT Departments who are incredibly busy right now.
  3. Use Subject communications as an opportunity to scope the Request and timelines.
  4. Find an end-to-end provider to avoid having to manage multiple service and technology providers on your own.
  5. Have a solution in place to handle Personal Data Analysis and Redaction across high volumes of unstructured data (e.g., emails and chats). This will need be secure and remote, given current lockdown requirements.
  6. Reduce data volumes defensibly with workflow and technology.
  7. Disclose to the Subject digitally.

Learn more about Morae’s DSAR solution.

– – –



[3] Id.