ICO revises guidance on timescales for responding to subject access requests
How long does an organisation have to reply to a data subject access request (DSAR)?The key takeaway
The ICO’s guidance has been amended to state that the time limit for a response to a DSAR starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month.
Under Article 12(3) of the General Data Protection Regulation (GDPR) a data controller must respond to a DSAR “without undue delay and in any event within one month of receipt of the request”.
If an organisation receives a complex request or a significant number of requests by an individual, the response can be extended by a further two months. However the individual must be provided with an explanation of why the extension is necessary within one month of the receipt of the request.
A DSAR allows an individual to: (1) obtain records of their personal information held by an organisation; (2) be told who their information is disclosed to; and (3) receive an explanation as to why the organisation is holding it. A DSAR can be submitted by letter, email or social media.
The ICO’s previous guidance on DSARs noted that the one-month time limit should be calculated from the day after the DSAR is received until the corresponding calendar date in the next month.
This meant that if the DSAR was received on 19 August 2019, the response deadline would be 20 September 2019.
The ICO’s revised guidance states that the time limit for a response to a DSAR starts from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month. This means that if the DSAR was received on 19 August 2019, the data controller should respond by 19 September 2019 (not 20 September).
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. For example if you receive a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, you will have until 30 April to comply with the request. If 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to comply.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. So if a DSAR is received on 25 November, you have until 27 December to respond (25 and 26 December being bank holidays).
Why is this important?
Time is of the essence! It is important that employees are aware of what a DSAR is and how they can pass these requests to the Data Protection Officer or the relevant staff member/ team … immediately!
The revised guidance provides much needed clarity on calculating time with clear examples for organisations to use. This clarity should allow organisations to stay on the right side of the ICO and fulfil the requests of an individual in a timely manner.
Any practical tips?
Remember that the exact number of days you have to comply with a DSAR varies depending on the month in which the request was made. It may be helpful to adopt a 28-day period for responding to a DSAR to ensure compliance is always within a calendar month.
Data controllers should review and update their DSAR policies and procedures to ensure continued compliance with their data protection obligations.