This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

NEWS23 August 2019

Subject access request guidelines changed by ICO

GDPR News Privacy UK

UK – The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to subject access requests.

Under the General Data Protection Regulation (GDPR), organisations must respond to a subject access request – a request made by an individual to access their personal data – within one month of receiving the request.

Following a ruling from the Court of Justice of the European Union (CJEU), the time limit has changed to reflect the day of receipt of a subject access request as ‘day one’, instead of the day after (the ICO’s previous guidance).

The change means that the time limit begins on the day a request is received, regardless of whether it is a working day or not. For example, a subject access request received on 3rd September should be responded to by 3rd October.