Cambridge Analytica fined – as a result of a SAR
The ICO tells us that Cambridge Analytica has been fined £15,000 with costs of £6,000 and a victim surcharge of £170 as a result of failing to respond in full to a subject access request. A criminal prosecution was taken against them when they did not comply with an enforcement notice issued by the ICO ordering them to respond in full to the subject access request.
The ICO’s investigation into Cambridge Analytica continues and there are a number of specific issues involved – but all organisations are potential recipients of subject access requests and this case serves as a reminder, if one were needed, that there are consequences for not dealing properly with them.
A subject access request can be made by any person, requesting that an organisation provides them with all personal data that the organisation holds relating to that person. In most circumstances, the organisation has just one month to respond in full to the request.
Organisations should not underestimate the effort that may be required to respond to a subject access request. They may well hold a wide range of personal data relating to that individual and it might be held in a number of different systems. Simply identifying and locating all of the data relating to that individual may be a mammoth task.
And that is only the beginning. The organisation will then need to check the search results and identify and redact any personal data in them that relates to any other person. It will also want to redact other information as permitted by the GDPR, such as certain types of confidential information and information that attracts legal professional privilege.
We have assisted clients in this process, with subject access requests received from employees (often recently ex-employees) and from customers. The initial searches in some cases have returned tens of thousands of results. We strongly recommend taking specialist legal advice without delay if you receive a subject access request. Don’t end up in the magistrates’ court like Cambridge Analytica did.
Back to Our Thinking →