Results from the 2019 Privacy Governance Report released by EY and the International Association of Privacy Professionals (IAPP) are telling. In the third of our series on this report, we deep dive into the chapter devoted to data subject requests, also known as data subject access requests (DSARs).
Generally, DSARs are received under the General Data Protection Regulation (GDPR) but in Australia, a request to access your personal information may be made under Australian Privacy Principle 12 of the Privacy Act 1988 (Cth). Access is generally available, subject to a limited number of exemptions.
Anecdotal evidence suggests that requests by individuals for their data have been increasing year on year. The report indicates that the highest number of requests received were for access, followed by requests exercising the right to erasure and for rectification.
The report also shows that EU firms received far more access requests than US based firms and that B2C businesses received only a slightly higher number of access requests than B2B firms.
The survey asked participants to rank the difficulty of responding to the access requests that were made and those rankings of difficulty were based on the way in which information was held. The most difficult type of request involved locating unstructured personal data within a system as opposed to requests which involved structured data.
In responding to DSARs, businesses typically took one to two weeks (38 per cent) while 16 per cent took about a month or longer to respond. This would be outside of the required timeframes for responses in Australia, being 30 days for government agencies and 'a reasonable period' for businesses. Over 50 per cent of the respondents indicated that they had dedicated teams for handling subject access requests.
As individuals increasingly seek transparency in relation to their personal data, the costs involved in dealing with DSARs can only increase over time. The report indicated that very few organisations have a fully automated process for dealing with requests and that the most common process involves manual responses using a mature process, with a smaller number using partly automated process.
Australian organisations would be well placed to consider investing in processes and infrastructure to ensure that these costs are contained into the future.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.