19th September 2018
Much of the focus in the retail and legal press in recent months has been on the eye-watering level of fines which data protection regulators can impose for infringements of the new EU General Data Protection Regulation (GDPR) legislation . However in this mini-series Walker Morris’ Heads of Regulatory & Compliance and Commercial Dispute Resolution, Jeanette Burgess and Gwendoline Davies, offer practical advice in light of other GDPR-related risks which are becoming increasingly prevalent issues for retailers.
In this first briefing, Jeanette and Gwendoline look at data subject access requests (DSARs).
GDPR delivers new and enhanced rights for individuals in relation to their personal data, including the right of access, the right to rectification, the right to be forgotten, the right to object to or restrict processing, the right to data portability, and rights related to automated decision-making . GDPR also introduces certain direct obligations on data processors and the requirement for detailed contractual obligations to be implemented between all data controllers and processors. There are also new mandatory notification requirements in relation to data breaches (including informing individuals directly without undue delay, if the breach is likely to result in a high risk to their rights and freedoms), and specific requirements in relation to documentation and record-keeping – part of the universal principle of accountability under the new regime.
There can be little doubt that, aided by the recent bombardment of GDPR-related emails, consumers are becoming increasingly aware of their status as data subjects and emboldened in relation to the exercise of their data protection rights. Add to that the ever-present threat of increasingly sophisticated cyber-attacks, recent high-profile data breaches, and incidents such as the Facebook/Cambridge Analytica scandal, and it is no surprise that individuals want more control over their data, reassurance about how it is used, managed and protected, and the ability to seek appropriate redress when things go wrong.
Last month, however, Retail Week reported that some retailers are struggling to comply with their GDPR obligations. Examples given by Retail Week of some of the difficulties faced by retailers include the volume of DSARs being received and the tight timescales within which retailers must respond. Perhaps even worse, when Tesco did respond (late) to a DSAR submitted to it by a Retail Week staff member, its response was not legally compliant, and could have given rise to a claim.
With GDPR placing an increased level of responsibility on those who process personal data whilst, at the same time, online shopping and digital marketing mean that data collection, processing and retention are more important than ever, the stakes for retailers have never been higher.
The Data Protection Act 1998 (DPA) placed an obligation on any data controller receiving a DSAR to provide individuals (or, data subjects) with a copy of their personal data and related information unless that is not possible or would involve disproportionate effort, or unless the data sought is privileged (or falls within another of the few limited exemptions). The Data Protection Act 2018, which replaces the previous DPA and implements GDPR, introduced changes to the DSARs regime, reducing the time limit for a response from 40 days to 1 month (although the deadline can be extended by up to 2 months where requests are complex or numerous); and requiring that, in most circumstances, the information must be provided free of charge and, where a DSAR is made electronically, in a commonly used electronic format.
The extent of the data controller’s obligations when it comes to complying with DSARs has, however, been the source of some debate. The following key issues have now been confirmed in recent cases:
Retailers should be aware that DSARs are increasingly being used tactically, both prior to and alongside the litigation process. Here are our top tips for managing retailers’ risks and responsibilities:
If you require assistance in relation to any of the issues raised in this briefing, please do not hesitate to contact Jeanette or Gwendoline, who will be very happy to help.
 Up to 2 per cent of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and up to 4 per cent of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of any of the basic principles for processing personal data and breaches of data subjects’ rights.
 See our previous briefing for further information.
 Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74
 Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors  EWCA Civ 121