Dealing with bulk SARs and third-party representatives

Pending the decision of the Supreme Court in Johnson, Wrench, and Hopcraft, lenders and brokers are facing multiple financial and legal pressure points and be receiving or set to receive a tidal wave of data subject access requests (SARS) from third party claim representatives harvesting information around commissions paid.

Article 15 of the UK GDPR sets out a statutory right of access for data subjects to access a copy of their personal data from data controllers, known as a “subject access request”.

These requests are often used to harvest information in advance of a judicial claim. Strict time limits apply, legislative exemptions and other requirements need to be carefully considered, and data controllers are often put to strain and expense.

Helen Tringham, Partner from Mills & Reeve (pictured), sets out below top tips to help data controllers prepare for a surge in SARs and stay on the right side of the law.

The risk of ICO attention is inevitably piqued where a data controller is either demonstrating a backlog when responding to SARs or has a concerning trend in response issues.

• SARs received in bulk often contain a common denominator, meaning that they link to a specific issue, complaint or event, but each request must still be assessed on its own merits. The ICO acknowledges that a common denominator is present in respect of SARs submitted towards the financial services sector by CMCs, nevertheless it warns against a blanket response approach.
• ICO guidance confirms that an ulterior motive behind the SAR does not negate your duty to respond. However, the ICO and the courts do recognise the possibility that requests can be vexatious, manifestly unfounded, or excessive.  Arguments around motive need to be carefully considered against each set of circumstances. Mills and Reeve can advise on the prospects of such arguments.
• If the request is received from a third-party representative, you should be satisfied that the third party is authorised to make the request, and you may still need to confirm the identity of the individual concerned. Check that you have been given a valid and recent form of authority which is specifically related to the SAR, and not a generic authority. During the PPI claims surge, the FCA issued concerns regarding claims management companies proceeding with fictitious claims or claims without valid and recent instructions. A similar trend may follow in relation to the pending Supreme Court decision on consumer credit in the car finance sector.
• If your organisation is multi-jurisdictional, ensure that specific UK based approaches to and interpretations of rights requests are acknowledged and filtered into the SAR response process.
• Even if you hold no information about the individual, you must still respond to confirm your position.
• The ICO will take account of a high volume of requests although the size and resources of the organisation will also be considered when determining whether it is reasonable to take enforcement action for SAR response failures. You should not automatically assume that a sudden bulk delivery of SARs will attract any lenience from the ICO. If you need assistance with ICO communication, please get in touch.
• Remember to consider SARs coming through the processor supply chain network and joint controllership arrangements. If you are a data controller, check your arrangements with processors and joint controllers to ensure rights requests are notified to the right department in good time. In a bulk SAR situation, a backlog can quickly develop.
• Read our blog on SAR key challenges and changes to stay ahead of news in this area.

Please do get in touch with us if you need help and assistance managing multiple SARs, or individual requests.