The Information Commissioner’s Office (ICO) has said that organisations need to change their calculations on responding to subject access requests (SARs).
It has adjusted its guidance on compliance with the General Data Protection Regulation (GDPR) and Data Protection Act following a ruling of the EU Court of Justice.
Individuals have the right to submit SARs to an organisation to obtain any information it holds on them. Under the GDPR the one calendar month deadline for a response has usually been applied from the day after submission, but the court ruling said it should not be from the day the request was received.
In a statement, the ICO said: “Organisations will need to ensure their processes for handling requests are modified to account for this change. The ICO will not be taking retrospective action based solely on this update but will expect organisations to comply with this change as soon as possible.
“Organisations will also need to amend any guidance they currently provide relating to SARs or GDPR timelines.”
It added that there will be no change to the timescales for responding to freedom of information or environmental information requests.
Image from iStock