As a sector that is heavily reliant on people and which interacts with people in a number of different contexts (both externally when dealing with consumers and internally when dealing with personnel management), the energy sector has seen a rise in the number of contentious data subject access requests (or DSARs) it is having to manage.

Data protection laws give everyone the right to access a copy of the personal data held about them by any organisation. While DSARs can be made for any reason, more often than not they relate to a broader dispute against the individual concerned, and the DSAR is made in order to gain access to information which could be relevant to their cause of action. Therefore, responding to DSARs appropriately often involves a tricky tightrope of complying with data protection laws while ensuring that your organisation’s position in any dispute is appropriately protected.

The risks of not responding to a DSAR can be significant. Individuals have rights to claim compensation against organisations under UK data protection laws if their rights are breached. There is also a risk of regulatory attention – the Information Commissioner’s Office (ICO) said in their annual report for 2023/24 that they received approximately 16,000 complaints about DSARs in the past year, representing about 40% of their total data protection-related complaints.

Although the ICO does not typically issue fines in relation to DSAR breaches, it does often issue public reprimands against organisations that do not respond to DSAR, which can have significant reputational impacts.

Companies can manage their DSAR risk by implementing the following top tips:

• Remember you can apply a two-month extension in complex cases;
• You are obligated to conduct reasonable and proportionate searches, which means you can apply appropriate parameters when searching for information relevant to the DSAR (such as specific custodians, dates, and key words or phrases) and limit your searches to systems which you expect will contain relevant personal data;
• A request may be manifestly unfounded or excessive if it is a repeated request, or if the requester intends to harass the organisation. This means that the request can be refused, or the requester can be charged a reasonable fee for the response;
• An individual is only entitled to access their own personal data – they are not entitled to personal data identifying third parties, nor are they entitled to information which doesn’t relate to them;
• There are a number of exemptions which apply to DSARs and which allow organisations in a number of circumstances to withhold information which would otherwise be disclosable in response to the DSAR (such as legally privileged information).

At Burness Paull we have cross-divisional specialist DSAR team including members from our data protection, employment and public law and regulatory teams, who can help organisations find pragmatic solutions to respond to complex DSARs. For more information, please contact Jo McLean.

Related News, Insights & Events