“Timescales For Subject Access Request Compliance Just Got Tighter”

“Timescales For Subject Access Request Compliance Just Got Tighter”

Wednesday, February 5, 2020

Ann-Maree Blake, Data Protection and Corporate Partner

If you thought timescales for complying with a Subject Access Request (SAR) were already tight, you will be dismayed to learn that the Information Commissioner’s Office (ICO) has raised the bar.

The UK’s privacy and data protection watchdog has amended its General Data Protection Regulation: Right of access guidance on the period for compliance with a SAR.  If you request further information from the data subject following receipt of their request, the one-month timescale allowed to comply with the request will no longer be paused whilst you wait for the information.

The Right of Access Guidance states under Can we clarify the request?

“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request [(see recital 63, GDPR)]. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests”.

Responding to certain SARs just got a whole lot trickier.

What can I do?

Update your data mapping

With this additional pressure on time and resources, it is crucial to ensure your data mapping is current at all times.  You need to know where the personal data you hold on people is kept.  It is also vital to ensure changes of address (physical and email), nicknames, and phone numbers are recorded and added to a centralised database.

Create a tailored access request form

The General Data Protection Regulation, GDPR, does not require data subjects to send their SAR in any particular format or form.  However, having a form for SARs available for use by data subjects who wish to submit a SAR or sending it to them following receipt of the data subjects own form of SAR will streamline the process.  The more information gathered from the outset, such as previous contact details, the full name of the person requesting their information, and any dates which may assist request compliance, mitigates the risk of having to wait for clarification or additional material.

A word of caution – the ICO specifically states that organisations must respond to SAR’s received by letter, email, or verbally.  Furthermore, you cannot demand a person complete your form, nor can you try to use it as a way of extending the one-month time limit for responding.


If you require advice on GDPR or any other privacy or data protection matters, please get in touch with Ann-Maree Blake, a Partner in our Data Protection team.

Please note – this article does not constitute legal advice.