Skip to main content
Insight

I got a SAR on Monday; searched across my files on Tuesday, extended the deadline on Wednesday; and on Thursday and Friday and Saturday; I disclosed on Sunday (An updated SAR response deadline from the ICO)

Amy Lambert
14/08/2019

Locations

United Kingdom

The latest updated guidance from the ICO regarding the calculation of the time limit to respond to a subject access request ("SAR") has reduced the amount of time that controllers have to comply with such requests.

Unlike the classic Craig David '00s hit parodied for the purposes of this blog title, the Information Commissioner's Office ("ICO") is thankfully not now suggesting that SAR disclosures should be made outside of the working week. However, the latest updated guidance from the ICO regarding the calculation of the time limit to respond to a subject access request ("SAR") has reduced the amount of time that controllers have to comply with such requests.

Under the General Data Protection Regulation ("GDPR") a subject access request must be dealt with "without undue delay and in any event within one month of receipt of request". In addition, this period may be extended by a further two months where necessary, taking into account the complexity and number of requests. Despite this, the controller must still inform the requestor about the extension within one month of the receipt of the original request (along with the reasons for the delay).

Until recently, the ICO's guidance on responding to SARs stated that the one-month time limit began to run the day after the request was received (or, where the identification of the requestor was reasonably required, the day after the verification of their identity). Or, to put it another way:

  • The SAR is received on 12 August 2019.
  • The one-month deadline begins to run on 13 August 2019.
  • Unless extended, the response deadline is 13 September 2019.

This is now no longer the case.

The latest version of the ICO's guidance has stated that, in contrast to previous guidance, the deadline for response now starts running on the day that the request is received (or, the date that the requested verification is received).

The rest of the ICO guidance for calculating SAR response timelines remains as it was.

For example, if the following calendar month is shorter (so there is no corresponding calendar date), the ICO's position remains that the date for the response must be the last day of the following month. For example:

  • The SAR is received on 31 March 2019.
  • The one-month deadline begins to run on 31 March 2019.
  • Unless extended, the response deadline is 31 April 2019, which does not exist.
  • The deadline for response is therefore 30 April 2019.

In addition, the ICO has made it clear that (helpfully) if the corresponding date falls on a weekend or a public holiday, the controller still has until the next working day to respond. For example:

  • The SAR is received on 14 August 2019.
  • The one-month deadline begins to run on 14 August 2019.
  • Unless extended, the response deadline is 14 September 2019, which is a Saturday.
  • The deadline for response is therefore 16 September 2019 (a Monday, the next working day).

 As ever, the ICO also suggests that if businesses need to implement a standard response period for any and all SARs received, for practical purposes it may be useful to adopt a standard 28-day period for responding, to ensure that the controller always complied within a calendar month.

However, for those living SAR deadline to deadline, time to recalibrate those timelines.

Sign up to our email digest

Click to subscribe or manage your email preferences.

SUBSCRIBE

Related Work Areas

Technology