In general, you cannot set a Data Subject Access Request (DSAR) cost. Privacy regulations dictate that businesses not charge a fee to address subject access request requirements.
But, there are a few circumstances where you might be able to charge something. This usually happens when a data subject makes unreasonable requests, although that's not always easy to prove.
Today, we'll look at DSAR compliance and how costs can come into the equation.
What Is A Data Subject Access Request Fee?
If you process personal data and are subject to the General Data Protection Regulation (GDPR), an individual can request a copy (or the deletion) of all the information you have on them. When a data subject requests access to the information, this event is called a DSAR.
In some cases, you're allowed to charge a fee. For example, if the request(s) are:
Repetitive: they keep requesting the same thing over and over again.
Excessive: you can't collate the data without incurring high costs.
Unfounded: there is no reason for the request to be made.
Charging fees can be tricky, and you need to show that the DSAR meets one of these requirements to justify it.
If you think a fee is reasonable for your situation, it has to be nominal because a large charge could be construed as an effort to deter anybody from making a legitimate request.
Instead, a potential charge should discourage anyone from making requests purely to be a nuisance or to interrupt your business.
How Much Can You Charge To Deal With A DSAR?
As mentioned, it's challenging to calculate a fair DSAR fee or to know when you are on the right side of data privacy laws if you start charging one.
Let's look at a couple of examples:
You receive a DSAR that takes two people (a data protection staff member and an administrator) about an hour to deal with. It's not going to be possible to charge the data subject for the cost of that hour.
You receive twenty DSARs a week from somebody with a competing business. That is excessive and likely intended to annoy.
Of course, that's an extreme example, but it gives you a better idea of when you might be able to charge a DSAR request fee.
What Can I Do To Deal With Complex DSARs?
Unfortunately, privacy laws go hand-in-hand with running a business that collects or processes personal data. There is no way to skip around it.
GDPR does give you the option of charging a fee, but that might not be enough to stop disruptive requests since the fee can't be a substantial amount.
Setting out the system for acknowledging and responding to DSARs.
Communicating how DSARs are processed and what your customers need to do to access their data.
Highlighting that intentionally problematic requests will incur a fee.
While you can't ignore a legitimate DSAR, you might decide that you're better off challenging a deliberately disruptive request. In this case, you still need to explain to the requestor why you aren't responding and what makes you think the request doesn't have any factual basis.