In the run-up to implementation of the EU General Data Protection Regulation (GDPR) on 25 May 2018, much of the focus was on the eye-watering level of fines which regulators can impose for infringements of the new legislation. In addition to the prospect of significant financial penalties, businesses need to be aware of the very real threat of GDPR-related litigation and the increasingly prevalent tactical use of data protection laws and devices within the litigation process.

A game-changer

GDPR delivers new and enhanced rights for individuals in relation to their personal data.

Consumers are increasingly aware of their status as data subjects and emboldened in relation to the exercise of their rights. Add to that the ever-present threat of increasingly sophisticated cyber attacks, recent high-profile data breaches and incidents such as the Facebook/Cambridge Analytica scandal, and it is no surprise that individuals want more control over their data, reassurance about how it is used, managed and protected, and the ability to seek appropriate redress when things go wrong.

DSARs: what businesses need to know

The Data Protection Act 1998 placed an obligation on any data controller receiving a data subject access request (DSAR) to provide data subjects with a copy of their personal data and related information unless that was not possible or would involve disproportionate effort, or the data sought was privileged or fell within another of the few limited exemptions. GDPR introduced changes to the regime, reducing the time limit for a response and requiring that, in most circumstances, the information must be provided free of charge and, where a DSAR is made electronically, in a commonly used electronic format. There is also arguably a higher bar to overcome regarding refusal to comply with a DSAR.

Oct-Dec 2019 issue

Walker Morris