A Right Twist – The UK’s New Requirement for Messaging and Social Media in Subject Access Request Responses

By Ryan Costello, Engagement Director and Head of Data Privacy Service, ProSearch


A look at recent guidance by the UK’s Information Commissioner’s Office regarding messaging data caught up in access requests and what that might mean for organizations already burdened in responding to DSARs.

Of the individual rights afforded by the UK’s version of the General Data Protection Regulation, the data subject access request, or DSAR/SAR, has been the most widely exercised and most controversial. Access requests from present and former employees, in particular, have troubled many organizations for some time, given the broad scope (e.g., documentation, emails, files) and contentious nature of many employee DSARs, which are often rooted in a human resources-related issue.

In late May 2023, the ICO issued updated guidance on access requests, confirming that social media and messaging data are well within the scope of DSARs and must be collected, searched and disclosed pursuant to these requests.

The SAR Q&A for Employers, specifically says:

If your company uses social media platforms such as Facebook, WhatsApp, Twitter and chat channels on Microsoft Teams for business purposes, then you are the controller for the information processed on those pages.

The UK GDPR applies to any social media activity carried out in a commercial or professional context.

If you receive a SAR, you must search these platforms for any personal information if it falls within scope.

While platforms such as Facebook and Twitter may rarely figure in the workplace, Microsoft Teams, especially in post-pandemic times, is used by millions of companies globally and by 91 organizations in the Fortune 100. Collecting and disclosing Teams data in response to DSARs will now be a standard across these companies, which could pose significant challenges for many. While collecting Teams data via M365 can be relatively straightforward, processing, searching and disclosing certain chats containing certain conversations or subject matter can be anything but.

People tend to speak more candidly and frankly in chat messages than they do via email or other forms of documentation. In certain HR-related contexts, that can mean that more of the background exchanges between employees can occur via Teams or other similar applications. It is often these conversations that data subjects are seeking in a DSAR, especially when a contentious underlying or disputed issue may be driving the request.

Though the requirement to include messaging data in access request responses is unique to the UK, it is unlikely to remain so for long. The wide use of messaging applications means that other jurisdictions with GDPR or GDPR-like data privacy laws (including California) are likely to follow suit, especially if more and more access requests specifically surround communications around a data subject which contain personally sensitive information.

ProSearch has five years of experience handling employee DSAR responses on a regular basis, across numerous jurisdictions. We’ve leveraged best practices from our eDiscovery toolbox to sharpen our protocol for these DSARs – some of which can include hundreds of GB of collected data – building focused responses that leave the organizations, and the data subjects, pleased with the result.

More and more commonly, we have been using our Workstream message processing tool to help process, analyze and review messaging data across Teams, Slack and other applications, crafting a DSAR response protocol that spans messages, emails and other file types.

As DSAR responses becomes more and more complicated, working with an experienced provider that can handle messaging data is all the more important. Amid market swings, layoffs in the tech sector and jobs replaced by AI, HR-driven DSARs are likely to grow in frequency and complexity. Ensuring your organization is prepared is essential.

Find more ProSearch content on these subjects by visiting the Resources page of our website, including the article, Employee DSARs Under CPRA: What You Need to Know Now, and the white paper, Practical Insights for Responding to Employee DSARs – A Primer.



Filed under:

Ryan Costello

Ryan Costello

A US-licensed attorney and expatriate based in Europe for more than 10 years, Ryan has cultivated an expertise in data protection and data privacy compliance across a career in eDiscovery and litigation support. With a particular interest in the area where cross-border discovery and data protection intersect, Ryan has worked with a myriad of clients to manage EU-based eDiscovery exercises while navigating data protection compliance challenges on both sides of “The Pond.” With the implementation of the General Data Protection Regulation (GDPR) amidst other changes in the regulatory context, Ryan has assisted organizations in remediating cross-border discovery risks at every turn, with an eye toward solutions that utilize best practice technical and organizational measures, data management solutions and innovative technologies. Ryan assists across a range of client engagements, with a focus on assessing protective controls for personal data across the lifecycle of the EDRM. He is also a frequent writer and speaker on the GDPR, as well as data protection compliance topics and challenges in the US and across the globe. Ryan received his BA in English and Communications from Elon University, and his JD from Western New England University.