Requests for personal data could cost the public sector £30 million per year and the NHS at least £20.6 million, according to new research.
The new figures are the result of research from GDPR solutions business Exonar.
A ‘subject access request’ or ‘SAR’ is carried out when someone requests a copy of the data which an organisation holds on them.
Previously organisations could charge a £10 fee to provide the SAR, but the GDPR stipulates that these should be carried out free of charge.
The company suggests that the average cost of fulfilling a SAR is £145.46, but can run as high as £1,800.
“We expect 30 million requests to be made this year to private businesses of all sizes and the public sector,” said Adrian Barrett, CEO and founder of Exonar.
“If we assume the cost to process a [subject access request] is the same in public and private sectors, then the cost to UK PLC stands at £4.5bn. That’s an extraordinary sum to set against admin that has no value to a company.”
The company gathered data from 458 organisations, including NHS Trusts, local government, central government and emergency services from across the UK.
Exonar suggests that this could result in a £2.1m deficit that is set to grow wider as more requests are made.
The NHS Trust is expected to be hardest hit by the new rules. It receives 800 requests per year, which brings the total cost of managing its SARs to £20.6million annually.
Local government could also be hit hard to tune of £7.9million.
It’s estimated by Exonar that the NHS will have thousands of pages to provide as complete medical histories are produced.
“Because the public now knows about the GDPR they are more likely to raise more SARs, and if there is a sudden wave of requests the public sector will be stretched further,” added Adrian.
“It’s clear that the government needs to take advantage of new technology, particularly artificial intelligence, to help the public sector become more efficient with handling, organising and retrieving its data.”