UK businesses expend £1.59 Million and 14 person years annually processing DSARs finds new survey amongst DPOs
May 2020 by Guardum
An independent survey amongst 100 Data Protection Officers (DPOs) exposes the burden placed on UK businesses of complying with Article 15 of the GDPR. The research, commissioned by British data privacy experts Guardum, reveals that UK businesses are spending £1.59 millioni and 14 person years annuallyi[i] on completing Data Subject Access Requests (DSARs), which requires data controllers to provide data subjects with a copy of their personal data within 30 days, or risk a fine of €20 million or 4% of turnover from the ICO.
The independent research, conducted by Sapio Research among 100 DPOs from companies with 250 or more employees between 29th April and 5th May 2020, also highlights the challenges of maintaining compliance during lockdown. Seventy-five percent of DPOs polled admit struggling to meet data compliance obligations while working remotely and 30% fear they will be overwhelmed by a post-pandemic DSAR storm fuelled by requests from furloughed or sacked employees. Three in five DPOs are fearful that they will not have the resources to deal with an uptick in requests following the return to work.
The results highlight the everyday challenges facing data compliance professionals in fulfilling DSARs, which involve finding, compiling and redacting data in digital and paper format across multiple departments both on company networks and in the cloud. In 63% of cases this involves a combination of manual and automated processes. On averageiii DPOs receive 27 DSARs per month, each costing £4,884.53 per DSAR and taking 66 working hours to process, consuming around 30% of their working day. It is hardly surprising therefore that investment in automating the DSAR process is top of the DPO wish list given a magic wand to invest as they please.
According to Rob Westmacott, co-founder of Guardum: “This research graphically illustrates the huge burden that data privacy professionals are shouldering to maintain data compliance. The Covid-19 pandemic has tipped an already dire situation into a potential melting pot of requests, with fears that the return to work and the ensuing post-mortem by furloughed and sacked workers will overwhelm data compliance teams.”
“We are already starting to see a rise in consumer requests in California as part of the compliance obligations under the CCPA,” he continued, “and it is not unrealistic to expect a similar trend here in the UK especially in relation to employee related requests. As the temporary financial support mechanisms are scaled back and more onus is placed upon the employer to shoulder the financial burden of staff whilst the business remains closed, employees will sadly be let go and with that comes possible litigation. DSARs tend to be the precursor to any form of employee related dispute.”
“By far the biggest challenge facing DPOs is managing the sheer volume of personal data that needs to be reviewed before a response can go out,” said Hayley Youngs, UK & Ireland Group DPO for a global organisation. “It’s not unusual for a single request about an individual to generate multiple responses from different departments - each one containing attachments of various kinds that must be sorted and redacted before the DSAR process can be completed.” Under the GDPR, any organisation that processes personal information at scale is required to have a DPO responsible for the governance, privacy and compliance of all PII on its systems. In addition to carrying out risk assessments and preparing for compliance audits, the typical DPO’s workload includes responding to DSARs from members of the public enquiring about their own personal data held by the organisation.