Unlike the classic Craig David '00s hit parodied for the purposes of this blog title, the Information Commissioner's Office ("ICO") is thankfully not now suggesting that SAR disclosures should be made outside of the working week. However, the latest updated guidance from the ICO regarding the calculation of the time limit to respond to a subject access request ("SAR") has reduced the amount of time that controllers have to comply with such requests.
Under the General Data Protection Regulation ("GDPR") a subject access request must be dealt with "without undue delay and in any event within one month of receipt of request". In addition, this period may be extended by a further two months where necessary, taking into account the complexity and number of requests. Despite this, the controller must still inform the requestor about the extension within one month of the receipt of the original request (along with the reasons for the delay).
Until recently, the ICO's guidance on responding to SARs stated that the one-month time limit began to run the day after the request was received (or, where the identification of the requestor was reasonably required, the day after the verification of their identity). Or, to put it another way:
This is now no longer the case.
The latest version of the ICO's guidance has stated that, in contrast to previous guidance, the deadline for response now starts running on the day that the request is received (or, the date that the requested verification is received).
The rest of the ICO guidance for calculating SAR response timelines remains as it was.
For example, if the following calendar month is shorter (so there is no corresponding calendar date), the ICO's position remains that the date for the response must be the last day of the following month. For example:
In addition, the ICO has made it clear that (helpfully) if the corresponding date falls on a weekend or a public holiday, the controller still has until the next working day to respond. For example:
As ever, the ICO also suggests that if businesses need to implement a standard response period for any and all SARs received, for practical purposes it may be useful to adopt a standard 28-day period for responding, to ensure that the controller always complied within a calendar month.
However, for those living SAR deadline to deadline, time to recalibrate those timelines.
Sign up to our email digest