David Woods

+44 (0)1733 887793 dvwoods@greenwoodsgrm.co.uk

View full profile →

Cambridge Analytica fined – as a result of a SAR

Corporate and Commercial / 11 January 2019

The ICO tells us that Cambridge Analytica has been fined £15,000 with costs of £6,000 and a victim surcharge of £170 as a result of failing to respond in full to a subject access request. A criminal prosecution was taken against them when they did not comply with an enforcement notice issued by the ICO ordering them to respond in full to the subject access request.

The ICO’s investigation into Cambridge Analytica continues and there are a number of specific issues involved – but all organisations are potential recipients of subject access requests and this case serves as a reminder, if one were needed, that there are consequences for not dealing properly with them.

A subject access request can be made by any person, requesting that an organisation provides them with all personal data that the organisation holds relating to that person.  In most circumstances, the organisation has just one month to respond in full to the request.

Organisations should not underestimate the effort that may be required to respond to a subject access request.  They may well hold a wide range of personal data relating to that individual and it might be held in a number of different systems.  Simply identifying and locating all of the data relating to that individual may be a mammoth task.

And that is only the beginning. The organisation will then need to check the search results and identify and redact any personal data in them that relates to any other person.  It will also want to redact other information as permitted by the GDPR, such as certain types of confidential information and information that attracts legal professional privilege.

We have assisted clients in this process, with subject access requests received from employees (often recently ex-employees) and from customers.  The initial searches in some cases have returned tens of thousands of results. We strongly recommend taking specialist legal advice without delay if you receive a subject access request.  Don’t end up in the magistrates’ court like Cambridge Analytica did.

Back to Our Thinking →

Get in touch with us

Interested in finding out more? Use this form to let us know how to contact you and what you’d like to know, and we’ll get back to you.

Alternatively, contact anyone listed on our website direct, they will be happy to hear from you.

  • This field is for validation purposes and should be left unchanged.