ICO Updates Start to DSAR Response Timing for GDPR

The United Kingdom Information Commissioner’s Office (ICO) has updated its guidance on the timing for Data Subject Access Requests (DSARs) under the General Data Protection Regulation (GDPR). The new guidance indicates that the one month time period begins on the day the response is received, rather than the following day.

GDPR provides that organizations provide information from data subject access requests without undue delay, and in any event within one month of the receipt of the request. The timing of these responses under the previous ICO guidance had started the next day. Now, it will begin on the same day that it is received. The count begins on the day of receipt even if it falls on a weekend or holiday.

The example used by the ICO in the new guidance is one where the request is received on September 3rd, and thus the deadline for the response is October 3rd.

The deadline date is extended to the next business day if it falls on a weekend or bank holiday. If there is no corresponding calendar date in the following month because the month of receipt has more days, than the response is due on the last day of the month.

The GDPR time period is about one-third shorter than the California Consumer Privacy Act (CCPA), which specifies a 45 day initial period for businesses to respond. The CCPA does not specifically indicate how it will handle the rules for counting days, so it will probably either be provided for in the California Attorney General CCPA regulations released in the next few months or they will adopt the timing used by the California judicial system.