U.K. Information Commissioner’s Office Publishes Detailed Guidance on the Data Subject Access Requests under the GDPR

On October 21, 2020, the U.K. Information Commissioner’s Office (“ICO”) published an updated guidance on the data subject right of access (DSAR) under Article 15 of the European Union’s Data Protection Regulation (GDPR).

The guidance covers a variety of topics including how organizations should prepare for handling DSARs, recognizing DSARs, considerations in responding to a request, retrieving the relevant information, ways to supply information to the requester, circumstances where an organization may refuse to comply with the request, the exemptions to an obligation to comply with the request, and handling of DSARs in the context of health, education, and social work data.

The updated guidance provides specific clarity on timelines for responding to the requests and matters related to manifestly excessive requests.  With respect to timeliness of the response, it is notable that the controller may now seek clarification of the scope of the request in certain circumstances (for example when the company processes a large volume of personal data in the individual’s capacities as company’s employee and customer) and that the response time “clock” is suspended until the individual provides the requested clarification.  It is also notable that the one-month period to respond to a DSAR does not start until the controller receives the requested information necessary to confirm the individual’s identity.  By comparison, the time to respond to the data subject access requests under the California Consumer Privacy Act is not suspended by the identity verification process.

Under the GDPR, controllers may refuse to comply with the DSARs when they are manifestly unfounded or manifestly excessive.  According to the updated guidance, to determine whether a request is manifestly excessive, a controller would need to consider whether it is clearly or obviously unreasonable.

Specifically, a controller would need to determine whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. Some of the factors going into that consideration include the nature of the requested information; the context of the request; the relationship between the controller and the individual; whether a refusal to provide the information or even acknowledge that the controller holds it may cause substantive damage to the individual; controller’s available resources; whether the request largely repeats previous requests or whether it overlaps with other requests.

Furthermore, a request is not necessarily excessive just because the individual requests a large amount of information.  In that case, the controllers should consider asking the individual for more information to help it locate the information the individual wants.

Overall, the updated guidance seeks to take a business-pragmatic approach to fulfilling the DSAR requests under the GDPR and provides much-needed help to the controllers.  Organizations in other jurisdictions which must respond to the DSARs under their applicable regulations might also find the guidance helpful to the extent it addresses general data-management issues relevant to handling data subject requests.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653