Over the past year or so, there’s been a decided upswing in the number of subject access requests made by individuals to organizations that crunch their data. There are a number of reasons for this, but they’re principally driven by a greater public awareness of privacy rights in a post-Snowden era and following the recent Google “Right to be Forgotten” decision.
If you’re unfamiliar with the term “subject access request", then in simple terms it’s a right enshrined in EU law for an individual to contact an organization and ask it (a) whether it processes any personal information about the individual in question, and (b) if so, to supply a copy of that information.
A subject access request is a powerful transparency tool for individuals: the recipient organization has to provide the requested information within a time period specified by law, and very few exemptions apply. However, these requests often prove disproportionately costly and time-consuming for the organizations that receive them - think about how much data your organization holds, and then ask yourself how easy it would be to pull all that data together to respond to these types of requests. Imagine, for example, all the data held in your CRM databases, customer support records, IT access logs, CCTV footage, HR files, building access records, payroll databases, e-mail systems, third party vendors and so on - picture that, and you get the idea.
In addition, while many subject access requests are driven by a sincere desire for data processing transparency, some (inevitably) are made with legal mischief in mind - for example, the disgruntled former employee who makes a subject access request as part of a fishing expedition to try to find grounds for bringing an unfair dismissal claim, or the representative from a competitor business looking for grounds to complain about the recipient organization’s data compliance. Because of these risks, organizations are often hesitant about responding to subject access requests in case doing so attracts other, unforeseen and unknown, liabilities.
But, if you’re a data controlling business facing this conundrum, don’t expect any regulatory sympathy. Regulators can only enforce the law as it exists today, and this expects prompt, comprehensive disclosure. Not only that, but the fact that subject access requests prove costly and resource intensive to address serves a wider regulatory goal: namely, applying pressure on organizations to reduce the amount of data they hold, consistent with the data protection principle of “data minimization”.
Therefore, considering that data storage costs are becoming cheaper all the time and that, in a world of Big Data, data collection is growing at an exponential rate, subject access becomes one of the most important - if not the most important - tool regulators have for encouraging businesses to minimize the data they retain. The more data you hold, the more data you have to disclose in response to a subject access request - and the more costly and difficult that is to do. This, in turn, makes adopting a carefully thought-out data retention policy much more attractive, whatever other business pressures there may be to keep data indefinitely. Retain data for just a year or two, and there’ll be an awful lot less you need to disclose in response to a subject access request. At the same time, your organization will enhance its overall data protection compliance.
So what does all this mean? When considering your strategy for responding to subject access requests, don’t consider it in isolation; think also about how it dovetails with your data retention strategy. If you’re an in-house counsel or CPO struggling to get business stakeholder buy-in to adopt a comprehensive data retention strategy, use subject access risk as a means of achieving this internal buy-in. The more robust your data retention policies, the more readily you’ll be able to fulfill subject access requests within the timescales permitted by law and with less effort, reducing complaints and enhancing compliance. Conversely, with weaker (or non-existent) data retention policies, your exposure will be that much greater.
Subject access and data retention are therefore really just two sides of the same coin - and you wouldn’t base your compliance on just a coin toss, would you?