Study finds lockdown’s furloughed and laid off staff set to trigger spike in DSARs for HR Officers
Fall-out from lockdown is already causing difficulty meeting data compliance obligations for 75% of Britain’s Data Protection Officers (DPOs), according to a survey by British data privacy experts Guardum. The vast majority (72%) expect a backlog of Data Subject Access Requests (DSARs) to be waiting for them while the remaining 3% fear there will be a mountain of DSARs to complete when they return to the office.
The challenge is set to remain for the foreseeable future. Nearly a third (30%) of Data Protection Officers (DPOs) are expecting a massive increase in DSARs in the six months following the post-Covid return to work.
The independent study conducted by Sapio Research* holds a stark warning for Human Resources (HR) Officers of the compliance challenges awaiting them once the Government’s job retention scheme ends in October. Under the GDPR, data controllers are required to provide data subjects with a copy of their personal data within 30 days or risk a fine of €20 million or 4% of turnover from the ICO.
Of those predicting a massive jump in the number of DSARs, 73% believe DSARs raised by furloughed or laid off employees during the pandemic will be a major contributor, with one-in-five expecting it to be the single biggest factor.
Almost half (46%) of all DSARs received by mid- to large-sized organisations are from employees or contractors. A third (33%) comes through legal representation with ex-employees accounting for 15% of this proportion.
“Human Resources personnel will soon find themselves at the sharp end in dealing with large DSAR volumes raised by disgruntled former employees,” said Rob Westmacott, co-founder of Guardum. “If DSAR volumes reach the record levels DPOs expect then firms will struggle to meet their 30-day turn-around obligations using conventional manual processes.
“DSAR requests can be time consuming and costly: maintaining the privacy of any third parties means that the process of redaction will become impossible to manage effectively without some form of automation,” he continued.
Other significant findings to emerge from the research are as follows:
· Large organisations receive an average 28 DSARs a month, yet just 52% are completed within 30 days at an average cost of £4884.53 a time.
· Almost half (45%) of DPOs sampled said if given the opportunity, they would invest to automate the process to reduce time and effort.
· Almost half (48%) have trouble obtaining data from multiple departments when attempting to fulfil privacy regulations.
· For nearly one third (29%) of DSAR managers their biggest concern is receiving a fine for non-compliance.
Any organisation that processes personal information at scale is required to have a DPO responsible for the governance, privacy and compliance of all PII on its systems. In addition to carrying out risk assessments and preparing for compliance audits, the typical DPO’s workload includes responding to DSARs from members of the public enquiring about their own personal data held by the organisation.