As a sector that is heavily reliant on people and which interacts with people in a number of different contexts (both externally when dealing with consumers and internally when dealing with personnel management), the energy sector has seen a rise in the number of contentious data subject access requests (or DSARs) it is having to manage.
Data protection laws give everyone the right to access a copy of the personal data held about them by any organisation. While DSARs can be made for any reason, more often than not they relate to a broader dispute against the individual concerned, and the DSAR is made in order to gain access to information which could be relevant to their cause of action. Therefore, responding to DSARs appropriately often involves a tricky tightrope of complying with data protection laws while ensuring that your organisation’s position in any dispute is appropriately protected.
The risks of not responding to a DSAR can be significant. Individuals have rights to claim compensation against organisations under UK data protection laws if their rights are breached. There is also a risk of regulatory attention – the Information Commissioner’s Office (ICO) said in their annual report for 2023/24 that they received approximately 16,000 complaints about DSARs in the past year, representing about 40% of their total data protection-related complaints.
Although the ICO does not typically issue fines in relation to DSAR breaches, it does often issue public reprimands against organisations that do not respond to DSAR, which can have significant reputational impacts.
Companies can manage their DSAR risk by implementing the following top tips:
- Remember you can apply a two-month extension in complex cases;
- You are obligated to conduct reasonable and proportionate searches, which means you can apply appropriate parameters when searching for information relevant to the DSAR (such as specific custodians, dates, and key words or phrases) and limit your searches to systems which you expect will contain relevant personal data;
- A request may be manifestly unfounded or excessive if it is a repeated request, or if the requester intends to harass the organisation. This means that the request can be refused, or the requester can be charged a reasonable fee for the response;
- An individual is only entitled to access their own personal data – they are not entitled to personal data identifying third parties, nor are they entitled to information which doesn’t relate to them;
- There are a number of exemptions which apply to DSARs and which allow organisations in a number of circumstances to withhold information which would otherwise be disclosable in response to the DSAR (such as legally privileged information).
At Burness Paull we have cross-divisional specialist DSAR team including members from our data protection, employment and public law and regulatory teams, who can help organisations find pragmatic solutions to respond to complex DSARs. For more information, please contact Jo McLean.
Written by
Related News, Insights & Events
Risk Resilience in 2025
26/03/2025
Join our expert team to consider the top issues that we believe should be on your risk register in 2025.
Webinar: Essential elements of employment training
17/03/2025
We are delighted to launch our next “Essential Elements of Employment” training series, bringing legal issues to life in virtual webinars that are practical and meaningful.
Tartan Week NYC: Bridging tradition & business opportunities for Scottish organisations
27/02/2025 - Online webinar
Join us for an insightful webinar with key organisations shaping these Tartan Week activities, and discover the exciting opportunities for Scottish businesses to get involved.
