Quastels
  • Expertise
    • Corporate & Commercial
    • Commercial Real Estate
    • Residential Real Estate
    • Digital Assets & Blockchain
    • Data Protection & Privacy
    • Employment
    • Dispute Resolution
    • Sports
    • Private Client
    • Immigration & Recruitment
  • Team
  • News
  • Careers
  • Contact
Menu
Quastels
  • Home
  • Expertise
  • Team
  • Careers
  • Fees
  • News
  • Contact
Quastels

“Timescales For Subject Access Request Compliance Just Got Tighter”

  • Home
  • News
  • News
  • “Timescales For Subject Access Request Compliance Just Got Tighter”
  • 5 February 202025 November 2021
  • Well Studio

Ann-Maree Blake, Data Protection and Corporate Partner

If you thought timescales for complying with a Subject Access Request (SAR) were already tight, you will be dismayed to learn that the Information Commissioner’s Office (ICO) has raised the bar.

The UK’s privacy and data protection watchdog has amended its General Data Protection Regulation: Right of access guidance on the period for compliance with a SAR.  If you request further information from the data subject following receipt of their request, the one-month timescale allowed to comply with the request will no longer be paused whilst you wait for the information.

The Right of Access Guidance states under Can we clarify the request?

“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request [(see recital 63, GDPR)]. However, this does not affect the timescale for responding – you must still respond to their request within one month. You may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests”.

Responding to certain SARs just got a whole lot trickier.

What can I do?

Update your data mapping

With this additional pressure on time and resources, it is crucial to ensure your data mapping is current at all times.  You need to know where the personal data you hold on people is kept.  It is also vital to ensure changes of address (physical and email), nicknames, and phone numbers are recorded and added to a centralised database.

Create a tailored access request form

The General Data Protection Regulation, GDPR, does not require data subjects to send their SAR in any particular format or form.  However, having a form for SARs available for use by data subjects who wish to submit a SAR or sending it to them following receipt of the data subjects own form of SAR will streamline the process.  The more information gathered from the outset, such as previous contact details, the full name of the person requesting their information, and any dates which may assist request compliance, mitigates the risk of having to wait for clarification or additional material.

A word of caution – the ICO specifically states that organisations must respond to SAR’s received by letter, email, or verbally.  Furthermore, you cannot demand a person complete your form, nor can you try to use it as a way of extending the one-month time limit for responding.

If you require advice on GDPR or any other privacy or data protection matters, please get in touch with Ann-Maree Blake, a Partner in our Data Protection team.

Please note – this article does not constitute legal advice.

Posted in News
© All right reserved
  • +44 (0)20 7908 2525
  • enquiries@quastels.com
  • Quastels LLP, Watson House, 54 Baker Street, London W1U 7BU

We are using cookies to give you the best experience on our website. Find out more in our Cookie Policy and Website Privacy Policy

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Find out more in our Cookie Policy, Client Privacy Policy and Website Privacy Policy

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Enabling this cookie enabled helps us to improve our website.

Please enable Strictly Necessary Cookies first so that we can save your preferences!