ICO revises guidance on timescales for responding to a data subject access request
The ICO’s guidance has been amended to state that the time limit for a response to a DSAR starts from the day the request is received (even if it is not a working day) until the corresponding calendar date in the next month, instead of the day after the request.
Why is this important to retailers?
Time is of the essence! It is important that all of your employees are aware of what a data subject access request (DSAR) is and how they can pass these requests to the relevant staff member/team … immediately!
The revised guidance provides clarity on calculating time with clear examples for organisations to use. This clarity should allow you to stay on the right side of the ICO and fulfil the requests of an individual in a timely manner.
The old guidance
Under the GDPR, a data controller must respond to a DSAR “without undue delay and in any event within one month of receipt of the request”, but if it is a complex request or there are a significant number of requests, the response can be extended by a further two months. However, the individual must be provided with an explanation of why the extension is necessary within one month. A DSAR allows an individual to: (1) obtain records of their personal information held by an organisation; (2) be told who their information is disclosed to; and (3) receive an explanation as to why the organisation is holding it. A DSAR can be submitted by letter, email or social media.
The ICO’s previous guidance on DSARs noted that the one-month time limit should be calculated from the day after the DSAR is received.
The new guidance
The ICO’s revised guidance states that the time limit for a response to a DSAR starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. This means that if the DSAR was received on 19 August 2020, the data controller should respond by 19 September 2020 (not 20 September).
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. For example if you receive a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, you will have until 30 April to comply with the request.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. So if a DSAR is received on 25 November, you have until 27 December to respond (25 and 26 December being bank holidays).
Remember that the exact number of days you have to comply with a DSAR varies depending on the month in which the request was made. It may be helpful to adopt a 28-day period for responding to a DSAR to ensure compliance is always within a calendar month.
Data controllers should review and update their DSAR policies and procedures to ensure continued compliance with their data protection obligations.