There is now detailed guidance for organisations on how to deal with rights of access to personal data (subject access rights) published by the Information Commissioner’s Office (ICO)) under the General Data Protection Regulation.
Three key issues arising from feedback received when the draft version of the guidance went out for consultation in December 2019 have been addressed in the guidance published are:
- Stopping the clock for clarification. The ICO has explained and illustrated with examples the circumstances in which a subject access request (SAR) may be deemed complex and enable the response period of up to a month from receipt of an SAR to be paused while a controller waits for the individual to clarify their request.
- Determining when an SAR is manifestly excessive. The guidance confirms this assessment requires the controller to consider whether the SAR is clearly or obviously unreasonable. The ICO recommends taking all the circumstances of the SAR into account and using them to determine whether the response required is proportionate when balanced with the burden or costs involved in dealing with the SAR.
- Costs which can be included when charging a reasonable fee for excessive, unfounded or repeat SARs. The controller’s reasonable fee may include the costs of its staff time, copying, postage and other expenses involved in transferring the data to the individual, including the costs of discs, envelopes and USB devices.
Data protection practitioners and organisations in general are likely to welcome the enhanced content and detail set out in this new guidance, which is intended to ease the complexity and reduce the response times associated with SARs. Further resources to assist with responding to SARs, including a guide for small businesses, are being developed by the ICO.