In the treacherous landscape of data protection and privacy regulations, staying informed and compliant is vital for firms that process personal data. In the UK, the General Data Protection Regulation (GDPR) is the legislation governing data privacy, and the Information Commissioner’s Office (ICO) is tasked with ensuring its enforcement, and they do so often. Point in fact, March 2023 Interserve UK was fined £4.4m by the ICO.
We thought it would be a good idea to take a look at HOW exactly the ICO enforces GDPR, especially in relation to subject access requests (SARs) and how breaches of this regulation are handled. I hope that on further reading, you’ll have a clearer understanding of what to expect if you are ‘looked at’ by the ICO, and how to stay off their radar.
Firstly, remember that a Subject Access Request, or SAR, is a fundamental right of data subjects (individuals) under GDPR. It allows individuals to request access to their personal data held by organisations. The process typically involves a data subject sending a written request to the org (such as an employer or service provider etc) and the law prescribes that the receiver of this request must respond within 21 days.
Now, SARs are a powerful tool for individuals to better understand how their data is being used, and they can encompass various types of information disclosure, from emails to customer records and more. They can also be used as a ‘weapon’ however against an organisation; for example a disgruntled ex-employee, or aggrieved customer plotting to cause the target organisation pain by directing their time and money on numerous and ‘excessive’ SARs. There is alarming evidence of this, and we see this trending up over time. (Sarima client data indicates that our clients are reporting a 62% increase of SAR’s deemed to be excessive or malicious from Oct 2022 to Oct 2023).
Now, the ICO is designed to be an independent regulator for data protection and privacy. Its primary role is to oversee compliance with GDPR, ensuring that organisations handle personal data in a transparent, fair, and lawful manner. This includes managing SARs and investigating breaches of the GDPR.
Enforcement
In relation to SARs, the ICO is actively involved in ensuring organisations meet their obligations under the law. If an individual feels their SAR has not been appropriately addressed, they can (and regularly do) raise a complaint with the ICO via an online form on the ICO’s website. The ICO will then investigate the complaint, and if they find the organisation in violation of GDPR, they have the authority to issue fines and enforce corrective actions. Keep in mind that deciding on whether or not a SAR has been sent with ‘weaponised or malicious’ intent, can be subjective in many cases.
Penalties for GDPR breaches can be substantial, with fines of up to €20 million or 4% of the org's global annual turnover, whichever is higher. It is therefore imperative that organisations be diligent in their workflows, searching of data, redaction and disclosure of information when dealing with SARs.
As an example of poor management, recently, a UK council voluntarily uploaded a spreadsheet in response to a request for information, that contained personal identifiable information such as national insurance numbers, pension data, names and addresses and equal opportunities data for 1854 current and 276 ex-employees. This forced the council to report the breach to the ICO and is now awaiting a significant fine from the ICO.
In cases where a breach has occurred, the ICO takes a methodical approach to investigation and enforcement. The severity of the breach and the organisation’s response together with the systems and mechanisms already in place to deal with SARs play a crucial role in determining the ICO’s actions. The ICO also has a plethora of resolutions available to them to be used in conjunction with, or otherwise a fine these include the issuing of warnings, reprimands, or corrective orders to ensure future compliance.
“It's essential for IT directors, Data Protection Officers and HR managers to implement robust and documented processes, systems and mechanisms to handle SARs effectively”.
Stay Informed and Prepared
Data owners have a responsibility to ensure their organisation complies with GDPR by effectively managing subject access requests. Staying informed about GDPR and the ICO’s enforcement mechanisms is crucial.
If you want to learn more about the complexities of subject access requests, how to manage them, and also manage your resources and risk on this business area please do not hesitate to reach out to us.
At Sarima, we can provide you with the guidance and expertise you need to manage the workflows, data indexing, redaction, and disclosure of information in response to a SAR.
We also offer an end-to-end service for businesses. See our Sarima-as-a-Service page (S-AAS) for more information.
