The new version of the guidance, aimed at data protection officers and those with specific responsibilities for data protection, has been published following a consultation that began in December 2019. 

Subject access requests (SARs) are those made by or on behalf of an individual for the information which they are entitled to ask for under the General Data Protection Regulation (GDPR).

As part of the guidance, the ICO has said that in certain circumstances, organisations can pause the time limit – or ‘stop the clock’ – while they await further clarification on requests from the individual issuing the request.

Under GDPR, organisations have a month to comply with a subject access request but can extend the time to respond by two months if the request is complex.

The ICO has also broadened its definition of what constitutes a ‘manifestly excessive request’ – i.e. in which circumstances an organisation could refuse to comply with a request.

Other changes to the guidance include an update on what admin costs companies can take into account when charging a fee for ‘excessive or unfounded’ requests.

Anulka Clarke, acting director of regulatory assurance at the ICO, wrote in a blog post: “The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services.”