Privacy & Information Security Law Blog

On October 21, 2020, the UK Information Commissioner’s Office (“ICO”) released its updated guidance on the data subject right of access under Article 15 of the EU General Data Protection Regulation (“GDPR”). The ICO provided a draft of the guidance for consultation in December 2019, and in response to the feedback it received, supplemented the guidance with additional content. The guidance provides more in-depth advice for organizations than what was provided in the ICO’s previous guide and includes examples designed to demonstrate how the GDPR’s requirements will apply in practice.

In the guidance, the ICO emphasizes the importance of taking a proactive approach to responding to subject access requests, in order to streamline the process of responding and increase levels of public trust in an organization. The ICO highlights that the preparatory steps an organization should take will depend on a number of factors, including (1) the type of personal data the organization processes; (2) the number of requests that the organization receives; and (3) the organization’s size and resources. Depending on these factors, the preparatory steps may include creating (1) asset registers to establish where data is held; (2) checklists to ensure a consistent approach to responses; and (3) retention and deletion policies to ensure that personal data is not retained for longer than is necessary.

Following the rise in third-party service providers making access requests on behalf of individuals, the ICO guidance specifically addresses these requests, noting that the service provider is responsible for providing evidence that it has appropriate authority to act on the individual’s behalf. In addition, if the controller is not able to view the access request without paying a fee or signing up to a service, it is not considered to have ”received” the access request and is therefore not obliged to respond.

The guidance also provides clarification on the following points:

• When a controller requires a clarification from the data subject in relation to an access request, the controller may “stop the clock” until a response is received. This relieves controllers from having to respond to access requests within the one-month deadline provided by the GDPR, where clarification is genuinely required.
• A manifestly excessive request is one which is clearly or obviously unreasonable, based on whether the request is proportionate when balanced with the burden or costs involved in handling the request. This is a broader definition than relied on by the ICO in the past.
• When charging a fee for responding to excessive, unfounded or repeat requests, controllers may take into account the costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual, as well as the costs of equipment and supplies and the time required by staff to provide a response.

The ICO stated that it is planning a suite of resources to assist with subject access requests, which will include a simplified guide for small businesses that highlights the key points from the ICO’s more detailed guidance.