Controllers may need to implement new data subject complaint handling processes
What is the change?
At present, if an individual is dissatisfied with the way their subject access request (“SAR”) has been handled, they have a right to complain to the Information Commissioner’s Office (“ICO”). Individuals are encouraged to raise their complaints with the organisation they made their request to (the controller) in the first instance, but there is no obligation to do so.
The Data Protection and Digital Information Bill (the “Bill”) changes this, and places a specific obligation on controllers to facilitate and respond to data subject complaints. The Bill also gives the ICO the right to refuse to act on complaints made by individuals, where the complaint has not previously been made to the controller and where the controller’s complaints process has not been exhausted.
What could it mean?
Controllers will have sight of all data subject complaints prior to any potential involvement by the ICO. If they do not already have robust procedures for handling complaints in place, they will need to design and implement data subject complaint handling processes, potentially reducing the frequency of subsequent ICO involvement.
What do you need to do?
Controllers will need to make individuals aware of their right to complain and make this a straightforward process for individuals, for example by providing an electronic complaints form. All complaints must be acknowledged within 30 days of receipt, and responded to as soon as possible. The Bill also requires that individuals are kept informed regarding the progress of their complaint.
Currently, in responding to data subject complaints, the ICO will often refer data subjects back to the relevant controller as a first step. As such, undertaking a review of complaints handling procedures ahead of the Bill could have benefits now for controllers with regard to the resolution of data subject complaints and in terms of preparedness for potential changes introduced by the Bill. Stone King can advise on complaint handling and the development of processes that assist with complaint resolution now and ahead of the potential new changes.
For further guidance on handling SAR complaints, please contact the Information Law Team.