Data Subject Access Requests – Important Changes to Time Limits
Since the arrival of the General Data Protection Regulation (GDPR), we have advised a number of Clients who have received data subject access requests (DSAR) from data subjects. The Information Commissioner’s Office (ICO), who are the regulatory body in the UK has recently amended its guidance on timescales for compliance. These amendments to data subject access request time limits are very important to be aware of.
What we already know about DSAR time limits:
When a DSAR is received, the recipient must respond to the DSAR without undue delay and within one month of receipt of the request. So, if a DSAR is received on the 1st January, you have until the 1st February to comply with the request. I recommend that Clients respond within 28 days to ensure compliance with the request is always within a calendar month.
This time limit can be extended if you require ID from the data subject that made the request. The time limit then runs from the date that the ID information is provided. This has not changed.
What has changed:
Up until now, if the DSAR is vague or involves a significant amount of information you were able to request clarification. You cannot ask the requester to narrow the scope of the request, but can ask for additional information to assist in your searches. What this (historically) did was to ‘stop the clock’ until the clarification was provided by the data subject. This has now changed. Any requests to seek clarification of the request do not ‘stop the clock’ and the one month response time continues without pause/ interruption from the date that the DSAR is received.
What you need to do:
Searches for personal data need to start immediately upon receipt of a DSAR. You can still write to the data subject to seek clarification, but if the data subject does not respond to this request, then you still must respond within the specified time limit after having carried out a reasonable search for the information covered by the DSAR.
It is therefore imperative that organisations double check their DSAR systems, retention policies and data processes to ensure that they are robust and effective. You can no longer ‘buy a little time’ by seeking further clarification. Organisations should readily know what personal data they hold, where it is held (with appropriate security measures), why it is held and how long it is held for (data subject should know this too) – if these basics are in place (these things alone do not ensure GDPR compliance) then responding to a DSAR should be relatively straight forwards.
A data controller/ processor still has the ability to extend the time to respond by two months but only if the DSAR is complex or you have received a number of DSARs from the data subject. You must still notify the data subject of this within the one data subject access request month limit.
DSARs often just say, ‘give me all of the personal data that you hold on me’. A data subject is entitled to do this. But say if this is an employee with 30 years’ service, then you are going to hold thousands of items of personal data. You may write back and ask for specific incidents/ dates etc, but the data subject doesn’t need to respond to this. You cannot hold off your searches until you receive a response to your request for clarification. The obligation is on you to respond within one month of receipt after having carried out reasonable searches. This case will be an enormous administrative burden and there is no way around this. I can see there continuing to be an increase in DSARs being made, but I feel that in some cases they will simply be used as a tactic by the data subject rather than with genuine intent exercise their right of access to their personal data (which is their right under the GDPR). I feel that the ICO needs to consider these types of requests (i.e. purely tactical/ nuisance requests) as the burden being placed on DSAR recipients is often significant. Helpfully, there has been further guidance from the ICO on ‘manifestly unfounded’ requests but this is still quite limited. I will produce a further article on this soon.