UK blogs

The ICO has updated their guidance on timescales for responding to individual rights requests

October 02, 2019

by Davide Borelli Manager (Italian qualified Lawyer) - Data Protection Strategy, Legal and Compliance Services

Email +44 (0) 7871760083

On 15 August 2019 the UK Information Commissioner’s Office (“ICO”) announced an update to their guidance on timescales for responding to a Subject Access Request (“SAR”) as well as other individual rights requests. The update follows a ruling by the Court of Justice of the European Union on the rules applicable to periods, dates and time-limits.

How long do you have to respond to a SAR?

Under Article 12 of the GDPR, the controller shall action a SAR (or any other individual rights requests) without undue delay and in any event within one month of receipt of the request. Such period may be extended by two further months, where necessary. In that case the data subject shall be informed of any such extension within one month of receipt of the request, together with the reasons for the delay.

When does the clock start running?

The ICO has updated the timescale for responding to a SAR to reflect the day of receipt as ‘day one’, as opposed to the day after receipt. For example, a SAR received on 3 September should now be responded to by 3 October. If the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, a controller have until the next working day to respond to a SAR or other individual rights requests. As a result, the exact number of days an organisation has to comply with a SAR or other individual rights requests may vary considerably, depending on the month in which the request was made.

Then what?

As individual rights requests may lead to adverse scrutiny from courts, regulators and the public, organisations should pay particular attention to timescales for responding to such requests. Ongoing testing of the organisation’s ability to respond to individual rights requests in a timely fashion and in compliance with the applicable rules may prevent unwanted legal consequences as a result of not replying on time.