On 21 October, the Information Commissioner’s Office (ICO) published its detailed guidance on how to efficiently and effectively handle subject access requests (SARs) under the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018. The guidance is aimed at data protection officers and individuals with data protection responsibilities in larger organisations, and provides practical examples of how to comply with the right of access.

Of particular note are the following key issues which have been addressed by the guidance:

  1. when the response timeline can be paused to clarify a request - the ICO has clarified that in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request; 
  2. what constitutes a “manifestly excessive” request – the ICO has provided additional guidance to help broaden this definition; 
  3. when a fee can be charged for excessive, unfounded or repeat requests – the ICO has updated what organisations can take into account when charging an admin fee.

The ICO has also announced that it will be offering future guidance on SARs including a simplified SAR guide for small businesses which contains the key points from the detailed guidance. Whilst this guidance is welcomed, managing SARs is an increasingly complex and costly exercise particularly where wide ranging requests are made. The ICO guidance confirms that that a data controller “cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them”. Organisations are therefore still obliged to comply with SARs seeking everything held relating to a data subject which can be an incredibly time-consuming exercise.  

We will be running a webinar on managing complex subject requests in the near future and further details will be circulated shortly.

To view the ICO’s updated guidance, please click here. For more information please get in touch with one of our information law experts James Cassidy, Julianne Kirkpatrick and Emma Godding.  

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.