Deadline for responding to subject access requests changed

The Information Commissioner’s Office (“ICO”) has updated its guidance on data subject access requests (“DSARs”) and clarified how the one month time frame for responding works. It now says time runs from the date of receipt, meaning the deadline for replying is the corresponding date in the following month. For example, a controller who receives a DSAR on 3 September will have to respond by 3 October. Controllers need to amend their internal processes to reflect this amended deadline.

What are the function of DSARs? 

DSARs enable individuals to request controllers to give them information on whether they are processing data about them. Individuals are also entitled to a copy of any personal data processed and information on how the controller uses their data. Controllers must reply to requests “without undue delay” and in any event within one month of the request. In limited circumstances, the deadline can be extended by a further two months (taking into account the complexity and number of requests).

What are the ICO guidelines on DSARs?

The ICO has detailed guidance on DSARs. The guidance outlines how the one month time frame operates. 

Previously, the guidance explained that the one month timeline starts the day after receiving a valid request. For example, the deadline for a request received on 3 September was 4 October. 

However, the ICO has updated this guidance due to a previous EU judgment. The ruling specified you calculate the one month deadline as the corresponding date in the following month.

Under the updated guidance, the one month time frame now starts on the day the controller receives the request. Therefore, if the controller receives a request on 3 September, they must respond by 3 October. If the corresponding date is a non-working day (weekend or bank holiday) the deadline will be the next working day.

What are the next steps should organisations take? 

Organisations should review their internal processes to take this amended deadline into account. Failure to do so could result in non-compliance and a complaint to the ICO. The ICO could investigate and then decide on further steps (such as imposing a fine). 

Individuals frequently use DSARs as part of litigation. The GDPR greatly increased data privacy awareness. The ICO’s recent proposed fines to British Airways and Marriott International hit the headlines, which increased public awareness further. 

DSARs take up significant time and resources, so controllers need to deal with them proactively. Those responsible for responding to DSARs need to be aware of the new time frame.

You can view the updated guidance here.