The Rising Tactical Use Of Workplace Data Subject Access Requests

Data subject access requests (DSARs) are now a staple tactic in workplace disputes.

What was intended by law-makers as fundamental personal data transparency rights are now frequently deployed as fishing exercises, stalling tactics, or simply to put pressure on employers to settle low-merit employment claims.

With the recent widespread adoption of generative AI, the volume and (apparent) sophistication of DSARs and data protection complaints by employees have risen dramatically. Further, it is now not uncommon for employers to receive multiple DSARs en masse, especially following events such as data breaches or collective redundancies.

Read more: Rise in data requests costing businesses millions

For HR professionals, the complexity in responding to DSARs has never been more challenging and the risks of getting the response wrong more daunting. The ICO frequently reports DSARs as being the most complained about data protection issue.

So how can HR professionals respond with confidence without diverting all their time and attention away from their other tasks?

Preparation makes the biggest difference. Map data sources and test capabilities before pressure hits. Ensure internal communication tools (including instant messaging platforms like Teams and Slack) have subscriptions levels that allow for the easy retrieval of data as regulators expect employers to only to use technology that respects the right of access.

Every workplace DSAR should be treated as the exercise of a fundamental right. Set a professional tone from the outset, despite the often-heated underlying employment dispute. A prompt acknowledgement, free of point‑scoring, establishes credibility and helps set the tone of the overall response. Every piece of DSAR correspondence should be aimed at demonstrating the employer's response efforts so it makes sense to address the DSAR separately from other matters such as grievances or disciplinary investigations.

Read more: The weaponisation of data subject access requests

Many workplace DSARs ask for excessive volumes of data: 'This is a request for all my personal data.' Whilst it is tempting to simply say 'no', blanket refusal is always the riskier option. Take control early by engaging constructively on scope, time periods and data sources, and by communicating realistic timelines. The UK's recent Data (Use and Access) Actmakes clear that employers only need to conduct reasonable and proportionate searches, even when being asked by an employee for 'everything'.

Proportionality only stands up if employers can show their working so be transparent with the approach to searches and keep a simple record of decisions made. Technology, such as document review platforms, can streamline record keeping and make it easier to demonstrate decisions if ever challenged. Avoid untested assumptions about the data held or which exemptions apply. Small sampling exercises can materially strengthen arguments.

Read more: How will you deal with the deluge of employee DSARs?

Repeated generative AI DSARs and complaints, while frustrating, shouldn't be ignored. However, the endless ability of GenAI to refute, argue and complicate a DSAR response means that employer engagement should be tactical. Not every GenAI drafted argument needs to be 'won' or even addressed by the employer. GenAI tools which rely on large language models trained on US data often demand employers take actions that may not be legally required in respect of UK DSARs, such as applying legal holds or providing rolling disclosure of data. Remain responsive and factual but avoid being drawn into endless AI arguments by keeping communications focused on the statutory right, the agreed scope, and the need to keep the process moving forward.

After events such as data security incidents or collective redundancy exercises, plan for DSAR surges by pre‑assigning roles, triaging requests and scaling review capacity (for example with technology) so timeliness and the quality of the responses are maintained under pressure. Where possible, avoid taking a blanket approach and aim to 'listen' to what each DSAR is asking for.

Finally, do your best and never ignore a DSAR. Regulators are human; the aim shouldn't be to 'win the DSAR battle', but to demonstrate to the regulator as clearly as possible why data protection obligations have been met.

Originally Published by hrmagazine.co.uk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.