Further to the UK Information Commissioner’s recent announcement regarding a consultation period on new, draft guidance on dealing with Subject Access Requests (SARs), Stephanie Creed and Ruth Boardman from Bird and Bird have set out their insightful views on both what is in and what is not in the draft guidance in the referred to article.

SARs are one clear area where GDPR reality bites businesses – it is where external influences (e.g. humans) interact with a businesses’ best laid plans when it comes to GDPR and how a business manages personal data. Given the feedback and challenges we hear from clients, further guidance will be appreciated.

As the authors note it is a shame this draft guidance does not take the opportunity to comment on the interaction between SARs and litigation which is an area we still see –though from a timing perspective, it is not always obvious that the two are connected. Not being a lawyer, two aspects the authors raise interest around, from a data and technology perspective: information management systems and the scope of a search from a technical perspective.

In respect of information management systems, yes these have been a feature of the law in this area since the 1980s but that does not mean that every business has implemented them fully across all of their functions and systems. Data is not entirely easy to control – given its portability, value and flexibility and therefore it can often ‘escape’ from the best managed systems. It is also easier to implement across certain data sets but as business embed more cloud-based, social-orientated and/or BYOD policies, it becomes more challenging to manage.

In respect of the scope of a search, the guidance sets out that personal devices/emails do not need to be searched unless there is reason to believe data is held there and that businesses will not have enforcement action taken against them where extreme measures to recreate deleted data have not been taken. 

Although in respect to the second point, it is noted that searching emails simply residing in a deleted folder will not be considered an extreme measure and therefore this needs to be carried out where appropriate – but does that extend to archives, back-ups or email journaling systems? I guess not, as obviously there has been no effort to “permanently disregard” the data where these systems are deployed. In respect to personal devices, as businesses embrace BYOD policies, this will lead to a degree of complication and they will have to think carefully about the application of this advice in those situations.

None of the above fundamentally changes the facts that businesses should have policies, procedures and systems in place to enable them to identify, track and manage their data so that they can effectively respond not only to SARs but also to data breaches, should they occur. A proactive approach will always be the best solution!