NEWS23 August 2019

Subject access request guidelines changed by ICO

GDPR News Privacy UK

UK – The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to subject access requests.

Countdown clock_crop

Under the General Data Protection Regulation (GDPR), organisations must respond to a subject access request – a request made by an individual to access their personal data – within one month of receiving the request.

Following a ruling from the Court of Justice of the European Union (CJEU), the time limit has changed to reflect the day of receipt of a subject access request as ‘day one’, instead of the day after (the ICO’s previous guidance).

The change means that the time limit begins on the day a request is received, regardless of whether it is a working day or not. For example, a subject access request received on 3rd September should be responded to by 3rd October.