Subject Access Requests: ICO publishes new guidance on response deadlines

At a time when the ICO is in the limelight for issuing larger fines than ever before for breaches of data protections rights, little fanfare has gone into publicising its recent small (but important) update to its guidance on compliance with Subject Access Request deadlines. This week Jessica Clough looks at what the changes are and what the potential impact will be for companies handling Data Subject Access Requests (“DSARs”).

Taking GDPR rights seriously

Since the introduction of the General Data Protection Regulations ("GDPR") in May 2018, the ICO has had the power to issue fines of up to 4% of worldwide turn over or €20million (whichever is higher) for GDPR breaches. Historically the ICO’s position has been that issuing fines was “a last resort” (ICO blog, Sorting the Fact from the Fiction). However, the ICO appears to have changed its position in recent months, imposing unexpectedly large fines for British Airways (£183.39million) and Marriott International (£99million) for data breaches. The British Airways fine (representing 1.5% of their worldwide turnover for 2017) is the largest imposed by any European authority to date.

Against this backdrop, companies clearly need to take GDPR rights very seriously.

What does the new ICO guidance say?

Following a ruling by the Court of Justice of the European Union (CJEU) on calculating timescales, the ICO has now updated its guidance on the deadlines for responding to GDPR rights, including DSARs.

Under Article 15 of GDPR, a data subject has the right to know what data is being processed about them and has a right to request access that to data – this is known as a Data Subject Access Request or “DSAR”.

Companies are required respond to DSARs “without undue delay and in any event within one month of the receipt of the request“ (Art 12(3) of GDPR). This deadline can be extended for a further two months where necessary, depending on the complexity of the request, provided the data subject is informed an extension is required within one month of receiving the request.

Previously the monthly time limit ran from the day after a DSAR was received. For example, if a DSAR was received on Monday 2 September, time would start running from Tuesday 3 September, giving until Thursday 3 October for a response.

Under the updated guidance, the month time limit will now start running from “day one” (the day the DSAR is received), even if this is a non-working day (such as a weekend or bank holiday). So for a DSAR submitted on Monday 2 September, the deadline to respond would be Wednesday 2 October.

If the last day of the time limit falls on a weekend or bank holiday, then the time limit is extended to the next working day.

Although the loss of one day may seem like an insignificant change, in our experience, complying with a DSARs is time consuming and companies often need all the time available to respond.

A company which fails to respond by the deadline (without applying for an extension) may be subject to an ICO complaint and potentially also a judicial remedy.

While we have not yet seen any fines of a level as those received by British Airways and Marriott International for failure to comply with a DSAR, the ICO does have the power to impose fines and companies should be very wary of breaching any GDPR obligations.

We can help

DSAR requests are time intensive and take up a lot of manager time. Employees often raise a DSAR in preparation to bringing an Employment Tribunal claim, in which case it is very important to know whether any exemptions apply in respect of any of the information which might otherwise be disclosed.

The Employment team is experienced at advising and assisting companies in carrying out DSARs. We can even carry out DSAR for you, using specialist software tools to assist in speeding up the process and keeping costs down.