Adjustment to Subject Access Requests Response Times
The ICO has recently published updated guidance on the rules for calculating time limits for Subject Access Requests. This was set by the GDPR as requiring a response within one calendar month of a subject access request. Previously, if a request was received on the 1st September, this one-month time limit started the following day and the organisation could reply by 2nd October.
The new guidance is that the time limit will run from the date that the request is received. To use the example above, a request received on 1st September (including a request received outside working hours) must be responded to by 1st October. Although the change seems slight, If the request is received late on a Friday, by the time it starts to be processed on Monday up to 3 days could have already passed.
The guidance around the expiry of the one-month period remains the same. No response is required on a weekend or public holiday, so if the limit expires on such a day then the response should be made by the end of the next working day. Where a request is received on a calendar date which does not correspond with the following month because the following month is shorter, such as a request made on 31st January, the one month period will expire on the last day of the following month, 28th February (or 29th if a leap year).
If you have any queries regarding this, or any other data protection concern then please don’t hesitate to contact Louise Weatherhead at Sintons LLP on 0191 2263699 or by email at firstname.lastname@example.org.