Exposing GDPR Non-Compliance: A Deep Dive into Mishandled Subject Access Requests
The General Data Protection Regulation (GDPR) is pivotal in safeguarding personal data and ensuring transparency in data processing practices. However, my recent experience with a Subject Access Request (SAR) to Naylors Gavin Black has revealed significant shortcomings in compliance that demand attention. This article aims to shed light on the mishandling of SARs and the potential consequences for non-compliance with GDPR.
Section 1: Background on GDPR and SARs
GDPR was introduced to give individuals greater control over their personal data and to hold organisations accountable for how they handle this information. One of the key tools provided by GDPR is the Subject Access Request (SAR). SARs allow individuals to request access to the personal data that organisations hold about them, verify the legality of its processing, and correct any inaccuracies.
Under GDPR, organisations must respond to SARs within one month, providing transparent and comprehensive information about the data they process. This includes detailing the purposes of processing, the categories of data, and any recipients of the data. Legal professional privilege can be invoked to withhold data, but this must be narrowly applied and justified.
Section 2: The Mishandling of My SAR
In April 2024, I submitted a SAR to Naylors Gavin Black LLP to understand how my personal data was being handled. The process that followed was fraught with delays, vague justifications, and significant redactions. Here is a detailed timeline of the key events:
Despite the GDPR stipulating a one-month response timeframe, Naylors Gavin Black LLP failed to comply within this period, providing only a partial response initially and a delayed final response almost three months later.
Section 3: In-Depth Analysis of Issues
Conflict of Interest and Transparency Issues
Conflict of Interest: Angus White , a partner at Naylors Gavin Black LLP, was directly involved in handling my SAR, despite being implicated in the matter. His use of a "confidential" email address suggested an attempt to withhold or obscure relevant information, compromising the integrity and impartiality of the SAR process.
Transparency Issues: The organisation broadly applied legal professional privilege to withhold data without specific criteria or detailed justifications. This broad application undermined transparency and obstructed my right to access my personal data. Furthermore, my personal data was shared with Muckle LLP | B Corp™ without my consent or knowledge, violating GDPR’s transparency requirements.
Role and Interaction with Muckle LLP: Naylors Gavin Black LLP indicated that Muckle LLP, identified as a data controller, would not engage with me unless authorised by Naylors Gavin Black LLP. This overreach obstructed my right to access my personal data directly from Muckle LLP, impeding transparency and accountability.
Impact of Delayed Response: The significant delay in responding to my SAR not only caused frustration but also obstructed my right to promptly address and rectify any inaccuracies in my data. This delay was not adequately justified, highlighting a blatant disregard for the legally mandated timeline.
Heavily Redacted Emails: Many emails in the SAR response were heavily redacted, including critical communications. One unredacted portion revealed significant information about my unlawful eviction and the re-letting of the property before I had a chance to collect my belongings. This indicated misconduct, premeditated planning to unlawfully evict me, and underscored the need for full transparency.
Section 4: Potential Consequences for Angus White
Reputational Damage: Angus White's involvement in such an issue could severely damage his professional reputation, both within the firm and externally. This situation may lead to diminished trust from clients and colleagues.
Increased Scrutiny: Future data handling and SAR processes involving Angus White are likely to be subjected to increased scrutiny by the ICO and within the organisation. This could result in stricter oversight and more rigorous checks to ensure compliance.
Financial Liability: While financial penalties are typically levied on the organisation, the costs associated with compliance orders, independent reviews, and potential fines will indirectly impact Angus White and other partners. The estimated costs could be substantial, encompassing independent review costs, ICO penalties, compliance and remediation costs, legal fees, and reputational management expenses.
Recommended by LinkedIn
Section 5: Lessons Learned and Recommendations
For Organisations:
For Individuals:
Conclusion
My experience with Naylors Gavin Black LLP’s mishandling of my SAR underscores the critical importance of GDPR compliance. Ensuring timely responses, transparency, and avoiding conflicts of interest are paramount to upholding data protection principles. Organisations must prioritise these aspects to foster trust and accountability. I encourage readers to share their experiences with SARs and join the discussion on best practices for GDPR compliance.
#GDPR #DataProtection #LegalCompliance #SubjectAccessRequest #PrivacyRights #Transparency #LegalEthics #DataPrivacy #Compliance #LegalRecourse #AngusWhite #NaylorsGavinBlack
Public Interest Disclosure Statement
This statement outlines the principles guiding disclosures made in my articles, which aim to serve the public interest by promoting transparency and accountability.
Guiding Principles
Legal Considerations Disclosures are made with consideration of:
Ethical Standards
While not a professional journalist, I strive to maintain high ethical standards in my reporting, including:
Disclaimer
This statement does not claim legal protections specific to employee whistleblowers or professional journalists. While every effort is made to ensure accuracy and ethical compliance, this is not legal advice. I am not a legal professional or a qualified journalist. Legal and ethical advice will be sought in cases of uncertainty.
By adhering to these principles, I aim to make responsible disclosures that serve the public interest while respecting legal and ethical obligations.
Experienced Managing Director @ Eco-HuMantropolis | Law, Sales
5moGDPR are UK data regulation and the UK /ICO do not follow the UK/ GDPR regulations set out in their remit to independently and transparently investigate SAR's, and / or data breaches. UK or Transatlantic investigations are not investigated in accordance with UK / GDPR, ICO regulation and article's. The problem here started during Brexit Exit and the conflict with UK / GDPR and EU adequacy with the UK's member state data position. To comment on SAR's procedures and / or conflicts solutions would reguire regulating the UK / ICO regulator investigators using independence and transparency. During UK /ICO investigations the UK/ICO can, will, and have during Brexit Exit abandoned investigations, by completely changing or updating the UK / iCO investigation IT System and data infrastructure. During the time or period in question many UK Listed International Companies, UK /ICO investigations, UK Public Health Data and Criminal data investigations were mishandled and / or abandoned. Unless the UK /ICO investigator actors are regulated and investigation cannot be abandoned using IT system and email changes nothing will change. The UK/ ICO have acted in accordance with HMG with no transparency or accountability.