Coronavirus May Cause a Spike in Data Subject Access Requests
Many experts anticipate global unemployment will exceed the 2008/09 financial crisis with the worst jobs market since the Great Depression. Within the UK alone, the unemployment rate might reach 8.5 percent or beyond. Benefits claims have already hit 1.2 million since mid-March. That’s eight times above normal levels. Forecasters predict a 7.5% to 24% drop in the UK GDP for the second quarter.
I believe that Coronavirus’s impact on the labour market will cause a significant rise in Data Subject Access Requests (“DSARs” or “Requests”) for UK and EU businesses subject to the General Data Privacy Regulations (“GDPR”), which also includes non-UK/EU companies doing business in the region.
Businesses are responding to the Coronavirus by adjusting operations for today’s environment, reducing costs, or both. A cost reduction mandate means redundancies.
Whatever the reason—a seasonal lull, failing to meet expectations, a burst bubble, a terrorist attack, a global pandemic—labour force reductions weigh heavy on the hearts and minds of executives. But this is the reality, as evidenced by the flood of headlines on redundancies. Sectors like Tourism & Leisure and Accommodations & Food have been hit especially hard.
What does Coronavirus have to do with DSARs?
Much has been said about DSARs’ use as expedited discovery or disclosure. It can often take close to a year or longer to obtain files through court or administrative proceedings. But the DSAR 30-day deadline, even with the two-month extension for complex or numerous Requests, offers a shortcut.
This is highly convenient in the context of an aggrieved former employee who submits a DSAR in order to find information to support a legal employment action against the business. But this does represent a burden on the business. Indeed, to limit this burden in California, the Legislature is considering amending the California Consumer Privacy Act (“CCPA”) to prevent the CCPA’s use for this purpose.
Businesses subject to GDPR, however, must accept and manage the risk. The Information Commissioner’s Office (“ICO”) and established case law tells us that the Subject’s purpose in submitting a DSAR is immaterial.
A more recent and more interesting development is the ICO’s response to the query: What happens to timelines during COVID-19? To this, the ICO has said they “won’t penalise organisations” that must adjust usual practices during these extraordinary times. The ICO also put individuals on notice that, “they may experience understandable delays when making information rights requests during the pandemic.”
Does this mean businesses can ignore DSARs for the upcoming months? No. Does this mean businesses have a year to respond to DSARs? Not likely. How a business does respond will be informed by its circumstances. Demonstrating reasonable efforts, in the context of these times, will be key for the ICO.
A record level of redundancies and a precedent of DSAR-use by aggrieved former employees are the basis for my view that businesses subject to the GDPR should anticipate a high volumes DSARs. So, the question becomes, what to actually do?
I suggest the following:
Learn more about Morae’s DSAR solution.
– – –
Patrick Kellermann is a Senior Director and the UK Head of Managed Services for Morae, a discovery, technology, and advisory firm. He led the development of Morae’s DSAR Solution and oversees a team of DSAR consultants, project managers, and engineers. You can contact Patrick with any inquiries at 020-8126-6698 or [email protected].
In Other Posts
Stay in the Know
Subscribe to our newsletter for the latest news about legal, risk, and compliance issues.