Clients Benefit from Solicitors’ Advice on Handling DSARs

October 20, 2022
Tim Heywood


View profile

There can be few organisations that have not received a data subject access request at some point.

Most of them probably struggle to respond exactly in the way that the UK GDPR requires. After all,  article 15 is more extensive than they might think and most of them won’t know much about Schedule 2 to the Data Protection Act.

Certainly smaller organisations often struggle. Larger organisations, especially those with their own Data Protection Officers, are better equipped.

It’s an important issue because getting the response wrong can result in serious enforcement action being taken by the ICO and, potentially, legal proceedings by the data subject.

DSARs are essentially backward looking; the data subject wants to know what information has historically been collected about them and how it’s been used. And what about those old emails written in anger by a colleague and using less than flattering language about the data subject?

Whilst they are trying to make sense of all the historical stuff, very often data controllers can easily forget that any new information they create as a result of the DSAR is also potentially disclosable to the data subject. Dozens of emails will be written, meetings held , notes and decisions taken about how to respond to the DSAR.

A sense of despair can quickly fall on an organisation trying to respond correctly. Very often they discover that they don’t have the right tools to search all their data sets effectively and they worry about meeting the time limits.

All too quickly it becomes apparent that they hold volumes of personal data stored in a variety of datasets and in different locations. The task of disclosure can seem daunting.

Disclosure is a tricky regulatory issue. It is not merely a commercial or managerial issue.  It is best done with the benefit of specialist legal advice.

There is at least one source of comfort though. As well as having the expertise (and experience) the organisation’s solicitor also brings legal professional privilege into the mix.

Part 4 of Schedule 2 to the DPA 2018 provides that “information in respect of which a claim for legal professional privilege could be maintained in court proceeedings”  is exempt from the article 15 (1)-(3) rights.

 This means that clients can engage with their solicitor openly, on all aspects of the DSAR safe in knowledge that those professional communications will not have to be disclosed. That comfort is not something that business consultants or data protection advisers can generally offer.

Tim Heywood FRSA is a partner in gunnercooke specialising in data protection, cyber and information law.

This article is not intended as legal advice nor should it be relied upon as such. Neither gunnercooke llp nor the author accepts any liability for any loss or damage resulting from reliance on its contents. Specific legal advice should be sought on your particular circumstances.