Received a DSAR Request? Here are some potential exemptions

With Data Subject Access Requests (DSARs) on a steep rise, one of the most important questions to consider as an organisation is when can DSAR requests be refused? The average individual DSAR is said to cost a SME around £20,000, with many requests far exceeding this due to the labour and resource intensive nature of fulfilling a DSAR. If your organisation processes considerable amounts of personal data, you should be aware of what a DSAR entails, along with the grounds upon which you may rely to refuse a request.

As you may know, DSARs are governed by the Data Protection Legislation, which  gives individuals the right to request access to personal data concerning them from a data controller, meaning any organisation that processes an individual’s personal data. Requests must be responded to “without undue delay”, and organisations must make reasonable efforts to retrieve and provide the information requested. It is therefore advised that your organisation should have a DSAR policy in place to reduce processing times and ensure that requests are properly complied with in a prompt manner.

It is important to ensure you comply with DSARs correctly, as failures may lead to complaints to the ICO resulting in enforcement action and penalties. Indeed, the ICO has confirmed that a significant portion of the data protection complaints received by them relate to DSARs. With the number of DSAR complaints relating to organisations misunderstanding DSAR exemptions on the rise, it is important to ensure that DSAR request refusals  are based on valid grounds for exemption.

Refusing a DSAR request under UK Data Protection law

The UK GDPR allows organisations to refuse a DSAR request where the request is deemed “manifestly unfounded or excessive”. This is the ground that would permit a refusal of the whole DSAR request, as opposed to exemptions which may allow organisations to withhold the specific information covered by those exemptions when dealing with DSAR requests. There are several factors to take into account when considering a denial on this ground, including:

  • the nature of the request
  • the relationship with the requester
  • the requester’s intention

For instance, if an organisation can prove that the requester is not genuinely seeking to exercise their rights, but rather intends to cause disruption or seeks financial compensation in exchange for withdrawing their request, an organisation may be able to deny the DSAR request on this exemption ground. An organisation may also refuse a DSAR request if the requester makes several requests over a short period of time, as this may be deemed “manifestly excessive”. Please note that just because a request may relate to a large amount of information, this does not automatically give rise to this exemption.

If you are considering relying on this exemption for a current DSAR request, please note that the requester has the right to complain to the ICO if the DSAR request is refused. It is therefore important to ensure you have considered all appropriate factors carefully when making this decision.

Other exemptions under UK Data Protection law

Where a DSAR request may not fall under the “manifestly unfounded or excessive” criteria, UK Data Protection laws nevertheless allow for a number of DSAR exemption grounds, with those most commonly relied upon outlined below:

1) Third party data

UK Data Protection legislation allows for an exemption where providing data in response to a DSAR request would reveal information about an individual other than the requester. Similarly, legislation allows for an exemption where providing information as part of a DSAR request could impinge upon the rights and freedoms of others.

Relying upon third party exemptions again would require consideration of various factors, including third-party consent and confidentiality amongst others.

Your organisation may be required to redact data as part of your response to the DSAR request, and you should consult an expert when required. you may need to consult with a data protection professional about.

2) Legal privilege

Exemptions relying on this ground relate to information that is communicated between a client and their legal advisers when seeking legal advice and/or assistance with litigation.

It may be that some of this information can be omitted from a DSAR request response, but you will need to seek guidance from a data protection expert to confirm whether the appropriate conditions are satisfied.

 3) Crime and taxation

A DSAR request may potentially be refused if complying could prejudice certain crime and tax-related purposes, such as:

  • the prevention or detection of a crime
  • the apprehension or prosecution of offenders or
  • the assessment or collection of a tax or duty or an imposition of a similar nature

This needs to be judged on a case-by-case basis, and the exemption cannot be used as a blanket refusal for whole categories of personal data. 

4) Management forecasting or planning

Your organisation may be able to deny a DSAR request if complying could reveal information that may prejudice your organisation’s business plans, such as:

  • information relating to restructuring or
  • Information regarding layoffs or
  • other business planning issues

Along with the above, there are a number of other exemptions that may allow for refusing to provide information as part of a DSAR request, which we may be able to assist your organisation with if applicable.

When relying on any of these exemptions to refuse a request, please note that the requester must receive an explanation of why their request has been refused within one month of receiving the request

How Hope & May  can help you with your DSAR request

We can: 

  • Provide advice and guidance on requests received along with any potential exemptions
  • Respond to and manage your DSAR requests as your external DPO
  • Redaction of data as part of our external DPO service to ensure your response is compliant with data protection law and does not wrongly disclose data relating to other parties
  • Review your current DSAR policy or create a new one tailored to your organisation for future requests

If you have any questions please contact us today at info@hope-may.com 

Get in touch