On 21 October, the Information Commissioner’s Office (ICO) published its detailed guidance on how to efficiently and effectively handle subject access requests (SARs) under the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018. The guidance is aimed at data protection officers and individuals with data protection responsibilities in larger organisations, and provides practical examples of how to comply with the right of access.
Of particular note are the following key issues which have been addressed by the guidance:
- when the response timeline can be paused to clarify a request - the ICO has clarified that in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request;
- what constitutes a “manifestly excessive” request – the ICO has provided additional guidance to help broaden this definition;
- when a fee can be charged for excessive, unfounded or repeat requests – the ICO has updated what organisations can take into account when charging an admin fee.
The ICO has also announced that it will be offering future guidance on SARs including a simplified SAR guide for small businesses which contains the key points from the detailed guidance. Whilst this guidance is welcomed, managing SARs is an increasingly complex and costly exercise particularly where wide ranging requests are made. The ICO guidance confirms that that a data controller “cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them”. Organisations are therefore still obliged to comply with SARs seeking everything held relating to a data subject which can be an incredibly time-consuming exercise.
We will be running a webinar on managing complex subject requests in the near future and further details will be circulated shortly.