The Information Commissioner’s Office (ICO) has recently amended its General Data Protection Regulation: Right of access guidance on the time limits for compliance with a data subject access request (DSAR).

Key changes

The ICO’s amended guidance confirms that when a data controller requests clarification from an individual making a subject access request, the start of the one-month time period for compliance will no longer be paused until after the controller receives the requested information. Similarly, the extended timescale (of up to two further months) for responding to complex or multiple DSARs will also no longer be paused.

It’s important to note that the new timescale for responding to a DSAR will begin to run from the date that the DSAR is received or, if later, upon receipt of proof of the individual’s identification. This is an important change from the previous regime which paused the time period for compliance until the controller received any information sought from the individual.

What does the revised ICO guidance say?

The ICO’s revised Right of Access guidance now says:

“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests”.

Practical issues

One clear area of concern is where the individual making the subject access request delays in providing the additional information that the controller has requested. This could have a knock on effect and make it more difficult for controllers to collate their response to the subject access request in time.

Companies and organisations may wish to note that whilst neither the GDPR nor the Data Protection Act 2018 specifically require data subjects to complete a subject access request form, the existence of such a form may enable controllers to receive the information needed to respond to a subject access request in a timely and comprehensive fashion whilst also limiting the potential for businesses and organisations to fall foul of the existing regulations.

Please contact us if you’d like more information about the issues raised in this article and/or or to find out more about the various Data Protection related policies, procedures, guidance and training that we provide.