Data requests under GDPR will cost the public sector £30 million

 New research released today shows that public sector organisations face increased financial pressure as a result of the recently implemented General Data Protection Regulation (GDPR), to the tune of £30million per year. The NHS is expected to be hit hardest by the influx in data requests, given that before the introduction it cost the NHS £20.6million per year to retrieve customer data.

New guidelines ruling that in most cases an organisation must also complete requests free of charge are an extra blow to budgets. This marks a key change from previous guidelines under the 1998 Data Protection Act (DPA), which allowed a processing fee to be charged. As such, a £2.1m gap in income per year is expected to emerge.

The detail behind the numbers:

The figures are the result of an extensive Freedom of Information (FOI) Act request made by Exonar, a provider of GDPR data mapping and data inventory solutions, to 458 organisations, including NHS Trusts (206), local government (125), central government (61) and emergency services (66) from across the UK.

The FOIs asked for the number of subject access requests (SARs) received by the organisation in 2014, 2015, and 2016* and the cost of processing each SAR.

On average, a SAR cost £145.46 to process, though some bodies admitted it costs much more, sometimes running as high as £1,800 such was the complexity of finding data and the associated administration. Multiplying the average cost to complete a SAR with the number of SARs received by the respondents in 2016 (209,023), results in a total administration cost to the public sector of £30.4 million.

Each organisation could previously have recouped some of the cost and charged a recommended £10 fee to complete a SAR but under GDPR they will no longer be able to, resulting in a £2.1m deficit that is set to grow wider as more requests are made.

Extrapolating the associated costs, Exonar forecasts that the cost to UK PLC will be £4.5bn.

NHS will be hit hardest

The study found that on average each NHS Trust already receives 800 requests per year. Multiplying this by the average cost of processing SARs and then by the 241 Trusts in the UK, the total cost to the NHS of managing SARs stands at £20.6million annually. It’s expected this will only go up as more people become aware of their rights.

Response deadlines

The GDPR has trimmed the amount of time that organisations have to complete SAR requests from 40 days – as per the 1998 DPA – to one month.

Exonar’s research found that many organisations struggled to meet the deadline for providing answers to its FOI requests (requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

The time to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.

Because the public now knows about the GDPR they are more likely to raise more SARs, and if there is a sudden wave of requests the public sector will be stretched further. It’s clear that the government needs to take advantage of new technology, particularly artificial intelligence, to help the public sector become more efficient with handling, organising and retrieving its data.

Adrian Barrett, CEO and founder of Exonar

A copy of the full report, which details all the findings and compares NHS, Emergency services, local and central government is here.