Many organisations within the hospitality sector are currently busy preparing themselves for the General Data Protection Regulation (GDPR) which comes in next May.


Businesses would be forgiven for focusing on the eyewatering fines that are being introduced by the GDPR – 4% of global turnover or £17 million. There are many aspects to the GDPR which may have a significant impact on organisations, and particularly those which by their nature hold a significant amount of personal data, such as those within the hospitality sector. One such change relates to the data subject access request (DSAR) regime that will make it easier - and free - for individuals to require an organisation to disclose the personal data that it holds on them.

What is the issue?

Experience tells us that organisations in the hospitality sector are already seeing an uptick in the number of DSARs being made and that they are increasingly becoming more cumbersome. There are several reasons for this:

  • Individuals, generally, are becoming more aware of the need to protect their personal information (and the media attention surrounding the GDPR is only increasing this awareness)
  • Making a DSAR is easy – it can be done informally, costs next to nothing (the fee is £10) and can be done with impunity
  • DSARs are being used tactically, as a simple means of gaining potentially helpful material to pursue a grievance or litigation
  • Data volumes continue to grow exponentially – so there is much more data to look at in order properly to respond
  • Innovation and the ever increasing use of technology mean that there are multiple sources of data, all of which might need interrogating

When the GDPR comes into effect, organisations will no longer be able to charge a £10 fee. While this may not seem significant, a Government impact assessment estimates that the abolition of the fee may result in a rise in the number of DSARs of between 25-40%.

In addition, under the GDPR, organisations will be required to respond to a DSAR within a month rather than the current 40 days. Both the increase in the number of DSARs and the shorter timeframe to respond are likely to place an increased burden on already stretched resources.

There have also been a number of recent court decisions which have been “data-subject friendly”. Previously, if the DSAR regime was being used for collateral purposes e.g by a litigation opponent, then it might have been possible to simply refuse to respond to the DSAR. Now, it seems that is much more unlikely, so businesses can expect more DSARs being made for tactical reasons, such as to gain an advantage in litigation. We have even seen some instances of vexatious litigants making DSARs in the hope that organisations do not respond properly, before then initiating a claim for damages for the distress suffered (it is not necessary to show financial loss to bring a claim).

What are the consequences for failing properly to respond?

The consequences may include regulatory investigations and/or enforcement, litigation, and, of course, more generally, damage to reputation. The Information Commissioner’s Office (ICO) issued nine enforcement notices in 2016 for failing to respond to a DSAR without undue delay, which is more than in previous years. That also needs to be viewed in the context of the GDPR which gives the ICO greater powers to issue fines.

Organisations should also prepare for an increase in litigation because if a person can demonstrate that they have suffered damage in the form of distress, then they may be entitled to damages. While any damages awarded would likely be minimal, there is obviously a nuisance value - and a financial value - to dealing with such claims, and if one succeeds, it may open the floodgates, including to group actions.

Perhaps more importantly, businesses must bear in mind the potential reputational damage of non-compliance, particularly when it comes to two large groups of stakeholders who are likely to make most use of the DSAR regime: employees and customers. More so than ever before, people are taking seriously the need to protect their personal information and any business seen not to be taking appropriate steps to do likewise, is likely to suffer as a result.

Our 12 step 365 day plan to comply with GDPR

Download the full bulletin in PDF to view our 12 step 365 day plan to comply with GDPR

Preparation and response

What should organisations be doing now and going forward?
  • If it is not already happening, then how organisations respond to DSARs should be reviewed as part of their GDPR planning to ensure compliance by May 2018. Organisations need to map their personal data (i.e. what data is held and where) which will assist in the DSAR process.
  • Internal practices and policies for responding to DSARs should be reviewed to ensure that they are up to date and reflect the recent and proposed developments outlined above.
  • Consideration should be given as to who within the organisation is responsible for handling DSARs and whether the team has received appropriate training to ensure that they are aware not only of the changes but some of the more nuanced and tactical aspects – for instance, being alive to DSARs which are being made for collateral purposes.
  • Organisations also need to consider how they will cope with an increase in demand and tighter timescales to review a significant amount of data.
  • Consideration should also be given to the use of technology, including artificial intelligence based tools, and use it to assist with the review process. Used intelligently, technology can make responding to a DSAR both quicker and cheaper, or at least mitigate the effect that technology has had on the proliferation of data in the first place.

AG’s approach

To address the issues outlined above, AG has put together a DSAR offering which will make responding to DSARs easier, quicker and cheaper. Our aim is to work collaboratively with our clients to make sure that we understand the organisation’s general practices and attitudes to risk, any DSAR protocols that are in place, and work with the in-house team to respond to the DSAR challenges faced by it. We offer a complete package, which ranges from offering fixed price training for organisations to develop best practice and robust policies, to document review, hosting and processing requests. Our offering combines the following:

  • legal expertise, with experts being well-versed not only in the intricacies of the law of data protection, but with a wider remit of related legal areas, such as the law of confidence and privilege
  • the latest advances in technology, ensuring that even the largest of document reviews is conducted briskly, efficiently and correctly
  • cost-effective resourcing for heavy document reviews, in the shape of our Transaction Services Team of over 130 paralegals

Download the full CHECK-IN with AG bulletin in PDF format

If you have any comments or queries, please get in touch.

Key Contacts

Lucy Sturrock

Lucy Sturrock

Partner, Real Estate / Head of Leeds Office
United Kingdom

View profile