Human resources at a click

Subject Access Request Compliance Update

html-coding-on-computer-screen

Despite the consultation period for their draft Right of Access Guidance remaining open until the 12th February, the Information Commissioner’s Office (the “ICO”) has amended its published guidance on the timescales for Data Subject Access Request (“DSAR”) compliance.

It is no longer an option for Data Controllers to stop-the-clock for compliance when requesting further clarification from the Data Subject. This is likely to result in some major practical issues for employers, especially when the data subject in question has produced a very wide-ranging request or a general request for “all data”.

DSAR’s can be a huge burden on company resources as sourcing and reviewing the data can be very time-consuming. It is therefore common for Data Controllers to seek clarification by responding to DSARs with a prescribed form or checklist for the data subject to complete prior to beginning its search; it was understood that the time limit for the request started when this form was returned. This new guidance indicates that, whilst ‘further information’ forms will continue to be necessary in certain circumstances, the time limit for compliance will run from the date the initial request is submitted and not any subsequent DSAR form. Where relationships between Data Controller and Data Subject have broken down or the correspondence suffers from repeated delays, this could place extra stresses and burdens on the Data Controller when trying to ensure compliance.

The Right of Access guidance now states:

“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request [(see recital 63, GDPR)]. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests”.

Disclaimer This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.
Anonymous author

Related Articles

Since the UK GDPR came into force in 2018, which was an overhaul in data protection, many employers and organisations...

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force....

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide...

Related Resources

Data Subject Access Request checklist

Confidentiality statement

Confidentiality statement in regards to the monitoring policy. Confidentiality Statement – Monitoring Policy  I agree, save if required by law...

Bring your own device policy

This policy covers the use of employees’ own devices (e.g. smartphone, tablet, laptop) for companybusiness. This policy applies to the...

Human resources at a click