The Information Commissioner's Office has amended its General Data Protection Regulation: Right of access guidance to apply a stricter timescale for employers (and other data controllers) to comply with a data subject access request (DSAR). Previously, if a controller asked the data subject for further information/clarification of the request, the start of the one-month time period for compliance was paused until that information was received. The guidance has now been amended to state that the clock will no longer be paused in this situation – the one-month timescale will start to run from the date of receipt of the DSAR or, if later, upon receipt of proof of identification. Controllers may be able to extend the time limit by two months if the request is complex or the individual has made a number of requests.
If the data subject delays in providing the information requested, this could significantly reduce the time available to collate a response. Employers will need processes in place to ensure they can respond quickly and efficiently.
The ICO consulted on its more detailed draft Right of access guidance until 12 February 2020 and the final version is awaited. The draft adopted the same approach as the amended guidance discussed above.
Key contacts
Steve Bell
Managing Partner - Employment, Industrial Relations and Safety (Australia, Asia), Melbourne
Emma Rohsler
Regional Head of Practice (EMEA) - Employment Pensions and Incentives, Paris
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.