Data protection officers (DPOs) are feeling the pressure of the pandemic and are struggling to keep up with compliance obligations during lockdown, research seen by Verdict shows.
DPOs also worry that the layoffs made because of the pandemic’s economic fallout will cause a spike in Data Subject Access Requests (DSARs), which are often a precursor to workplace disputes.
Three-quarters of surveyed DPOs said they were struggling to keep up with their data compliance obligations during lockdown, according to research conducted by Guardum.
The London-based firm, which provides software to automate DSARs, surveyed 100 DPOs from companies with 250 or more employees between 29 April and 5 May this year.
DPOs are bracing for a wave of fresh DSARs when the furlough scheme draws to a close in October, the research shows. Subject access requests are often made by employees prior to taking litigation action. When employees begin to return to work, 30% of respondents said they feared they would be overwhelmed as furloughed and sacked employees make requests for the data their employer holds on them.
“This research graphically illustrates the huge burden that data privacy professionals are shouldering to maintain data compliance,” said Rob Westmacott, co-founder of Guardum.
“The Covid-19 pandemic has tipped an already dire situation into potential melting pot of requests, with fears that the return to work and the ensuing post-mortem by furloughed and sacked workers will overwhelm data compliance teams.”
Under Article 15 of the General Data Protection Regulation (GDPR), individuals have a legal right to ask firms for a copy of their personal data being held. Once the request is made organisations have one month to provide the requested material, which covers both digital and physical records.
Failing to do so risks a fine of up to €20m or 4% of turnover from data protection authorities. However, fines are on a sliding scale depending on the severity of the offence. The UK’s Information Commissioner’s Office (ICO) prefers to leave financial penalty as a last resort for failed DSARs.
Unprecedented challenges for DPOs
One of the difficulties DPOs face during lockdown is accessing physical records located in the office.
Westmacott said that compliance teams also face the challenge of coordinating their work while “dotted here there and everywhere”.
“[With] people being dispersed, albeit they’re connected via virtual meetings etc, it’s still a lot more difficult to put your hands on the relevant material and asses that and work together to get that out into a successful response,” he said.
Sandip Patel QC, who provides advice to data protection officers in his role as managing partner at international law firm Aliant, told Verdict that the DPO role has “changed in these times considerably” and that they face “unprecedented challenges”.
He said that he anticipated an increase in DSARs made to frontline organisations, such as healthcare and social services, and warned that it is “almost inevitable” that a backlog is currently building up.
High cost of DSARs
Guardum’s research also highlighted the soaring costs associated with processing DSARs. UK firms with a headcount of over 5,000 are spending £1.59m per year to complete them, the research found. On average, DPOs receive 27 DSARs per month.
Each request costs an average of £4,884.53 to process and takes 66 working hours to complete. This works out at 30% of their working day spent processing DSARs.
“By far the biggest challenge facing DPOs is managing the sheer volume of personal data that needs to be reviewed before a response can go out,” said Hayley Youngs, DPO for an unnamed global organisation.
“It’s not unusual for a single request about an individual to generate multiple responses from different departments – each one containing attachments of various kinds that must be sorted and redacted before the DSAR process can be completed.”
“A lot of access request are without merit,” added Patel. “And that’s the problem with the DSAR system – you have to separate the valid from the non-valid requests.”
In April the ICO said that it would provide flexibility to organisations during the pandemic.
“A principle underpinning data protection law is that the processing of personal data should be designed to serve mankind,” said information commissioner Elizabeth Denham.
“Right now, that means the regulator reflecting these exceptional times, and showing the flexibility that the law allows.”