Insights Information Commissioner’s Office publishes detailed guidance on Subject Access Requests

The ICO has published detailed guidance to help organisations deal with a subject access request (SAR) under the GDPR effectively and efficiently.

Following public consultation on the guidance, the ICO has revised the guidance document to incorporate changes, additional content and further clarity on three key points raised:

  1. stopping the clock for clarification: one issue on which the ICO received a lot of feedback was that seeking clarification on requests often did not leave enough time to respond. As a result, the ICO’s position now is that, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request;
  2. what is a manifestly excessive request: to combat confusion over when to class a request as manifestly excessive, the ICO has provided additional guidance and broadened its definition; and
  3. what can be included when charging a fee for excessive, unfounded or repeat requests: the ICO has taken on board the feedback about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up SARs, and has updated the information that organisations can take into account when charging an admin fee.

For extra support the ICO is planning to provide a suite of resources, including a simplified SAR guide for small businesses, that picks out the key points from the detailed guidance. To read the ICO blog post in full and for a link to the new guidance, click here.

Expertise