Some slightly strange events at the Information Commissioner’s Office (ICO) recently as they quietly updated their guidance around the GDPR’s time limit of “one month” for responding to data subject requests, which had been in place since before May 2018.
After this was noticed and commented upon publicly by some of our fellow esteemed data protection colleagues, the ICO responded with a public statement about the update:
“Following a ruling by the Court of Justice of the European Union (CJEU), we have updated our guidance on timescales for responding to a subject access request (SAR), as well as other individual rights requests. The timescale has now changed to reflect the day of receipt as ‘day one’, as opposed to the day after receipt. For example, a SAR received on 3 September should be responded to by 3 October.”
What this statement failed to mention was that the CJEU ruling referenced was from 2004, but we won’t labour that point. Anyway, while this appears to be a minor change in the grand scale of data protection work, organisations will need to review and update their processes for responding to data subject requests (not just subject access, of course) to ensure the calculation for a deadline is accurate. This could give organisations a shorter period to respond to requests in some circumstances.
Where there is a variation in days of the month, the ICO then notes the below in their guidance:
- If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
- If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
- This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
It is also important to remember that data subject requests are not deemed to be “received” until:
- You are satisfied of the requester’s identity or their authority to request information on behalf of the individual. But this must always be proportionate and not excessive in relation to the level of information being requested; and/or
- You have received any further information to be able to respond to the request – this may be clarifying certain points or attempting to narrow the scope to make it manageable.
These steps must be taken as soon as possible on the request reaching the organisation, whether to a central data protection mailbox or any member of staff working within the organisation. So, staff awareness in being able to recognise requests and pass them on internally is vital.
Requests can be extended by up to two months if a request is complex or you have received a number of requests from the individual. And no, there is not a definition of “complex” at this point in time – this will likely be defined by enforcement action and case law.
One further point of note from the ICO’s guidance relates to a requester refusing to provide further information to assist the organisation in responding:
“… if an individual refuses to provide any additional information, you must still endeavour to comply with their request i.e. by making reasonable searches for the information covered by the request.”
So, the ICO’s view on this is that regardless of whether you do receive any clarification requested, you must still conduct “reasonable searches” for the personal data. However, depending on the context of the request and the nature of the relationship between the requester and the organisation, there may be an argument that the request could be refused as “manifestly excessive” under Article 12(5) of GDPR. If you do go down this route, it is important to bear in mind that GDPR also says that “the controller shall bear the burden of demonstrating the manifestly excessive character of the request” – so you would need to be able to evidence a cost or time estimate for responding to the request.