In this update, we explain the proposed reforms coming in the Data (Use and Access) Bill related to data subject access requests (DSARs) and their likely impact on organisations, and detail how Deloitte Legal’s Data Protection & Cybersecurity team can support organisations in planning for and dealing with DSARs.
The Data (Use and Access) Bill
On 23 October 2024, the UK’s highly anticipated Data (Use and Access) Bill (DUA Bill) was introduced to Parliament. The Department for Science, Innovation and Technology framed it with the promise to “harness the enormous power of data to boost the UK economy by £10 billion”.
An area being reformed by the DUA Bill is data subject access requests (DSARs). Under current UK data protection legislation (and EU GDPR), individuals have rights to request access to a copy of their personal information being processed by a controller organisation, together with certain supplementary information. DSARs are commonly made by (ex)employees or customers, often as an adjunct to dispute procedures or litigation, and can be a huge resource-drain on organisations’ in-house teams.
What does the DUA Bill mean for DSARs?
The provisions relating to DSARs predominantly mirror case law and/or place existing Information Commissioner’s Office (ICO) guidance on statutory footing.
In particular, the DUA Bill:
- clarifies when controllers can stop the clock for the purposes of calculating the applicable time period for response;
- outlines the circumstances in which an extension of the applicable time period may be necessary, i.e. due to the complexity or number of requests submitted;
- clarifies that controllers only need to carry out a “reasonable and proportionate” search when responding to DSARs; and
- empowers the Secretary of State to require law-enforcement controllers to disclose the fees they charge to respond to manifestly unfounded and excessive requests and stipulates that where refusing to respond to a request they must: (i) provide reasons and (ii) inform the data subject of their right to complain to the Information Commissioner.
The controversial proposals contained in the DPDI Bill to broaden the circumstances in which controllers can refuse to respond to DSARs to include the concept of “vexatious or excessive” requests have been dropped. The higher GDPR threshold of “manifestly unfounded or excessive” requests therefore look set to continue to apply.
DSARs (and DSAR complaints) on the rise
Many organisations across various sectors have reported a significant rise in DSARs over the last few years. The ICO’s 2023-2024 annual report states “Article 15 complaints, which are about the right of access, account for most of our data protection complaints work at 38.74%”. In August 2024, the ICO revealed that it has seen a 15% increase in the number of DSAR complaints in the financial services sector alone, demonstrating the challenges in responding to DSARs in a timely and compliant way.
Although the DUA Bill brings some welcome clarity on DSAR procedure, the considerable resource demands associated with managing a DSAR remain.
Processing DSARs is a costly and time-consuming exercise due to the large volume of data typically involved. DSAR responses can also require strategic considerations when the DSAR is used as a pre-discovery tool for employment and related disputes. Organisations dealing with DSARs internally will need to dedicate resources to both identifying and locating the requested data, and reviewing, redacting and appropriately presenting it – all within a one-month timeframe.
Here's where we come in
Our DSAR service is unique. We support organisations with everything from outsourced, fully managed, legally-enhanced DSAR services using proprietary AI to ad-hoc legal and non-legal support for strategic, contentious and resource-intensive DSARs, to arming in-house teams with policies, playbooks and guidance to more effectively respond to DSARs internally.
Our DSAR response services bring together legal expertise, cutting edge technology and forensics capabilities through:
- High-tech data processing power for large datasets
- Industry-leading, AI-enabled data review & redaction technology
- Integrated intelligent triage, and Legal quality assurance and strategic advice
- Compliance-focused - auditable, systematic, accountable and regulatory deadline-driven
Deloitte Legal’s Data Protection & Cybersecurity team would typically get involved in delivering:
- top level review and legal advice on exemptions to disclosure
- strategic advice on what should be disclosed, when and how
- sign-off on disclosure packages and preparing disclosure letters
- follow up advice on responding to data subject queries/complaints
- an audit trail report documenting a defensible position for all actions and positions taken.
This supports clients in meeting their regulatory deadline to comply with the DSAR and in not over-disclosing information, being particularly mindful of not prejudicing any parallel litigation.
Get in touch
If any of these issues or solutions might be relevant to your organisation, please get in touch with Deloitte Legal’s Data Protection & Cybersecurity team to discuss how can support you.
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2025-01-14-10-28-54-180-67863c661458621a6b2496a9.jpg)
/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-12-19-21-01-45-486-676489b9da543fe5c20c7c7c.jpg)
![Fiske-y business: Court of Appeal clarifies scope of Section 73 planning permission amendments - Fiske [2024]](https://images.passle.net/fit-in/512x288/filters:crop(0,123,1178,661)/Passle/5d1eec76989b6e0f3cff1041/MediaLibrary/Images/2024-12-19-20-52-47-997-6764879f3e67bad811f7a607.png)