ICO updates guidance on timescales for responding to data subject access requests
On 15 August 2019, the ICO updated its guidance on timescales for responding to a subject access request, as well as other individual rights requests. The guidance previously stated that a subject access request should be responded to within one calendar month, with the day after receipt counting as "day one". The guidance now says that the date of receipt should be treated as "day one".
Data subjects have certain rights under the General Data Protection Regulation ((EU) 2016/679) (GDPR) including the right to access their own personal data (see Articles 12 and 15, and Recital 63).
The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information.
The ICO guidance states that any such request must be complied with without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of (i) any requested information to clarify the request, (ii) any information requested to confirm the requester’s identity, or (iii) a fee (only in certain circumstances).
The ICO guidance has been updated to state that "day one" is now the day of receipt. The time limit should be calculated from the day the request is received (whether it is a working day or not) until the corresponding calendar date in the next month.
As some months are shorter than others, some organisations may want to adopt a policy of applying a consistent number of days for all requests. The ICO guidance notes that if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
For more information please contact Christina Fleming on +44 (0)20 7427 1022 or at email@example.com.