Numpty Nigel misses a Subject Access Request

Deadlines are boring aren’t they? They are meant to hurry us up. To make us do what the man wants us to do. Nobody wants to be a slave to the man. We are individuals. We should take our time. After all, deadlines are a target that can always be pushed out. Can’t they?........ Well, not this one! It is the number one privacy fail resulting in complaints to privacy regulators.

By Nigel Jones

Co Founder of The Privacy Compliance Hub

April 2020

Time limit

Each of the ‘Privacy Fails’ we discuss in this series of short articles are real.  They are based on things we have seen at the The Privacy Compliance Hub.  They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied.  These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.

The privacy fail

At number one – failing to respond to a subject access request (SAR).  Such a failure may be a failure to respond at all; a failure to respond within the given time limit (one calendar month); or a failure to respond adequately to the request.

The requests which individuals have the right to make under the GDPR are as follows:

  • the right to be informed;
  • the right of access;
  • the right of rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object to processing; and
  • the right not to be evaluated solely based on automated decision-making and the right in relation to profiling.

A privacy statistic

29% of all complaints made to the regulator in Ireland in 2019 were about responses to (or lack of responses to) subject access requests.  This was a similar percentage to complaints under the old laws, but the number of complaints were substantially higher under the GDPR. For example, in 2014 the DPC received a total of around 1000 complaints.  In 2019 it received more than 2000 complaints just regarding subject access requests.

Real life example(s) with real life consequences

The Irish regulator (DPC)  received a complaint against a healthcare group arising from its refusal of a request for rectification under Article 16 of the GDPR.  The complainant alleged that the healthcare group was incorrectly spelling his name on its computer system by not including the síneadh fada, an accent that forms part of the written Irish language.  The DPC made a limited order aimed at satisfying some of the complainant’s requests.

A court case arose in the UK where a doctor brought an action against an individual (and a company with which that individual was connected) for failure to comply with subject access requests adequately or at all.  The individual had brought a separate complaint against the doctor to the GMC. In the court case, after what must have been a very expensive legal process, the court made an order for production of the personal data sought.

How to avoid this privacy fail

Train your staff to spot a SAR.  For example, they may not know that a SAR doesn’t have to be written down.  If you have customer support manning phones then they should definitely know this.  Your staff should also know that they have to act very quickly. And finally, all your staff need to know who to pass SARs onto for processing.  Consider using one email address that all your staff know (  Record all your decisions and your justification for those decisions.

In short, train your staff, have a process that everyone knows and follows, test your process and record everything in one place.  This is an essential part of any culture of continuous privacy compliance.

“I cannot overstate this – we would have been overwhelmed without the Hub’s methodology to direct us through the process”

Martin McGreskin – NCTech


A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA.  It reduces the risk of data breach.

Numpty Nigel

Numpty Nigel’ is fictional.  He is not based on any person living or dead.  Any resemblance or similarity to any real person is purely coincidental.  It’s just that one of our Co Founders is called Nigel.  He is not a numpty.  But he does think that ‘Numpty Nigel’ sounds funny.  And the name Nigel is slowly dying out.  So this series of articles is for all the Nigels out there.

More to watch and read