Chuck Palahniuk wrote that the only reason we ask other people about their weekend is so we can tell them about our own weekend. In that spirit, I had planned to switch off by watching sport and reading the newspapers. Perhaps you see what you want to see, but the weekend papers contained a couple of stories with a strong data protection connection that I couldn't help but think about more.

The first story concerned the UK Department for Education monitoring the social media activity of educational experts in England; the second story revealed that the British Labour Party had conducted a "lawfare" campaign to uncover embarrassing information about schools that have been critical of the Party's tax policy. Despite involving organisations on opposite sides of the political spectrum, the stories shared a common denominator: the use of data subject access requests (DSARs).

The legal right for individuals to submit DSARs is not a new one, as some businesses know all too well. But in recent months there has been a sharp rise in the number of public interest stories in the UK that feature — or indeed are based entirely upon — information gleaned from DSARs. And although the issues raised in those investigations are usually not directly applicable to requests made in the employment context (which is still the primary, or only, context in which many organisations have received a DSAR), we are hearing from clients as well as anecdotally about an uptick in requests following high-profile media coverage. Notably, that uptick is happening across the board and irrespective of whether an organisation operates in the same sector or undertakes the same processing activities as the subject of the news story.

One of the stories this weekend describes the time, money and effort required to comply with DSARs — and while one shouldn't believe everything that's printed in the papers, that much certainly is true. Broadly scoped requests can involve accessing, reviewing and redacting large email data sets and other internal communication channels, and complex or contentious DSARs may also need specialist legal advice. For many employees, responding to access requests sits alongside their full-time jobs, such that staying on top of DSARs can feel like a Sisyphean task.

If you are unsure about how to handle access requests, the UK Information Commissioner's Office has issued a range of helpful guidance (including the links here and here), which I suggest should be mandatory reading for individuals and teams that deal with DSARs. I won't rehash the advice or takeaways from those documents. Rather, what follows are three insights from my experience of dealing with many, many DSARs: the soft skills that go beyond the law and guidance.

1. There are exceptions, of course, but individuals usually submit DSARs for one or more of the following factors: curiosity, distrust, anger or leverage. The first factor is the easiest to deal with, although if you receive more than half a dozen of these requests I would suggest reviewing your transparency information to ensure it sets out, in language that is clear and easy to understand, how and why you will use people's data. It may sound counterintuitive, but the last factor can also be easy to deal with — because you know what the requester wants and can deal with them on those terms.

The harder factors to assess are the second and third, precisely because you don't always know the motive. Now, I realise that what follows is easier — much easier — said than done, but my experience is that organisations which are able to demonstrate to their employees, customers and other stakeholders that they operate with a privacy-first mindset tend to receive fewer DSARs. If you act like you have something to hide, people will assume that you do — and submit an access request to find out either way.

2. Many organisations have a policy or procedure describing how to handle DSARs, including the timelines required for sharing requests with the appropriate internal contacts. That's a good start, but you never really know how your good your document is until you put it through its paces.

A few years ago, a client and I designed a process for their organisation — the equivalent of a cyber tabletop or a simulated dawn raid, but for DSARs. We submitted DSARs to various departments of the business and via different channels (email, post, verbal), and the findings were both stark and incredibly helpful. Some DSARs made their way to the appropriate contacts relatively quickly, while others never got there at all. Once the DSARs arrived, they were dealt with differently by each group company — an approach that may have seemed fine in isolation but that was easy to spot by submitting requests to each member of the group.

In other words, there was no consistency of process, despite the policy being clear and detailed. I won't give away all of the secret sauce, but do get in touch if you'd like to know how we devised a solution that the client has in place to this day.

3. Nobody likes deadlines. Unfortunately, that doesn't wash with the UK GDPR, which requires controllers to respond to DSARs within one month of the receipt of the request (with an additional two months allowed for complex requests). For what it's worth, the UK ICO often takes a reasonably pragmatic approach to this requirement — such that if a DSAR requires the organisation to review a significant amount of documentation, or involves complex analysis regarding (for example) the use of exemptions to disclosure, providing that information to the requester on one month/three months + two days is unlikely to be problematic, but it may not avoid follow-up from the ICO if the data subject complains.

Here, I refer you to the previous point: handling requesters with decency, and communicating early and clearly (i.e., if you know that you may not meet the statutory deadline) will help to reduce the likelihood that they complain to the regulator.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.