NEWS23 August 2019
UK – The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to subject access requests.
Under the General Data Protection Regulation (GDPR), organisations must respond to a subject access request – a request made by an individual to access their personal data – within one month of receiving the request.
Following a ruling from the Court of Justice of the European Union (CJEU), the time limit has changed to reflect the day of receipt of a subject access request as ‘day one’, instead of the day after (the ICO’s previous guidance).
The change means that the time limit begins on the day a request is received, regardless of whether it is a working day or not. For example, a subject access request received on 3rd September should be responded to by 3rd October.