Many of you will be familiar with the concept of nudge theory, basically that a small intervention can have a dramatic and disproportionate effect on how people act. It derives from behavioural economics, and has been responsible for many initiatives, including pensions auto-enrolment in the UK, the introduction of fly-shaped stickers in Amsterdam urinals (don’t ask), and the introduction of smaller bins for non-recyclable waste almost everywhere in Europe.

We can all feel very clever when we create a nudge that has an intended consequence, but unintended consequences can also arise.

This is what we are seeing in data subject access requests (or DSARs). Before GDPR came into force in 2018 individuals could be required to pay a £10 fee for access to their personal data. This was not a large sum, and should not have deterred an intrepid data subject from pursuing their quest for information. However, it created friction and effort, and as such was sufficient to stop many less committed individuals from making a request.

GDPR made DSARs free, and therefore removed that little piece of friction, and guess what – the number of DSARs has exploded. The most cogent figure that demonstrates this is the number of DSAR-related complaints received by the Information Commissioner’s Office (ICO), 16,000 in 2022/23. This of course is just the level of complaints, so the number of DSARs being made is likely going to be a high multiple of that number.

That is certainly my experience. A common early act from an aggrieved, dismissed or otherwise challenged employee is to make a DSAR against their employer. It’s free, requires very little effort and can cause consternation in even the most hardened HR teams.

The consternation is understandable: responding to DSARs can take an awful lot of effort, and it is not uncommon to find smoking guns amongst the information disclosed (which is what the employee is looking for in the first place).

DSARs are not going away, so employers need a strategy to handle them. However, in my experience, many organisations are seeing this to be a legal or HR issue, rather than a data issue. If you have your data management strategy right, and have given some thought as to how DSARs (and data subject’s other rights) should be addressed – whether they are employees or not – then the process of responding becomes much simpler. This strategy will need deep involvement from the organisation’s data privacy manager or data protection officer, and should be driven by the rights and freedoms that the GDPR is designed to address rather than seeing it simply as an employee relations issue.

Quite clearly employment rights will play a significant part in any response, particularly if a dispute has already arisen. Difficult emails may need to be disclosed, for example. There are ways to deal with these, but again, this should be addressed in conjunction with the data privacy team.

In essence, dealing with DSARs as a data protection issue, and neutralizing the employment rights issues associated with them, can significantly reduce the time and distraction that a DSAR presents, particularly if a strategic approach is taken.

For more information e-mail mcole@prettys.co.uk

As well as 25 years’ experience in employment law, Matthew is a proud holder of CIPP/E certification from the International Association of Privacy Professionals. Matthew and the team at Prettys run regular webinars for HR professionals covering not only employment law but also considerations for employers about data protection and privacy.