The Information Commissioner’s Office (ICO) has issued updated guidance on the timescales for responding to a data subject access request (DSAR) following a recent ruling of the Court of Justice of the European Union.
The general rule is that DSARs must be complied with without undue delay and at the latest within one month of receipt. The day of receipt of the DSAR will now be counted as Day One instead of the day after receipt. In the ICO’s example, this means that an organisation receiving a DSAR on 4 September has until 4 October to comply.
If there’s no corresponding calendar date in the following month, the date for responding will be the last day of the following month. In the ICO’s example, this means that an organisation receiving a DSAR on 31 March has until 30 April to comply.
It makes no difference to the calculation as to whether the day of receipt is a working day or a non-working day. However, where the calculated date for complying with the DSAR falls on a weekend or a public holiday, the organisation has until the end of the next working day to respond.
In light of this change, data controllers should review and revise their data protection and DSAR policies and any other documentation/notifications that reference the timescales for a response, including privacy notices.
Relevant staff within the organisation will need to be notified of the change.
Controllers should also look to review their arrangements with any data processors in order to ensure that the change is suitably addressed.