Back in October 2020, the Information Commissioner’s Office released updated guidance on the right of access.

This new guidance was very much welcomed and gives businesses a little more clarity when it comes to responding to a Data Subject Access Request (DSAR), particularly around ‘stopping the clock’ to ask for clarification and what counts as a manifestly excessive request.

Don’t delay

The timeframe for responding to a DSAR is one month, which is quite a short period. Make sure that, as soon as you receive a request, you start acting on it.

You can ‘stop the clock’ on the response time by asking for clarification. However, you should not ask for clarification on a blanket basis – only were clarification is generally required AND you process a large amount of information about the individual.

Identify the data subject

If you have reasonable doubts about the identity of the person making the request, you may request additional information to confirm the data subject’s identity.

Know what you hold and where to find it

As the response timeframe is short, it’s key to know what you’ve got about an individual and where to find. Particularly in cases where a DSAR is for all information held about an individual.

There is no requirement to undertake unreasonable or disproportionate searches for information, but you must consider the circumstances of the request, the difficulty involved in finding the information and the principle of the right of access when deciding whether you have undertaken a reasonable search.

Inform the data subject if you do not intend to respond

If a DSAR is manifestly unfounded or excessive, a controller may either charge a fee or refuse to act on the request.

The new ICO guidance states that businesses should consider each request individually and that a request is not necessarily excessive, just because it relates to a large about of information.

Respond by electronic means

In most cases it seems likely that data subjects will make their DSAR via an electronic method. Where this is the case, you should respond in the same way unless the data subject specifically requests their response to be in a different format.

We regularly support businesses in responding to DSARs as well as putting processes in place to make responding a less cumbersome task. If you would like further information or advice, please contact our Corporate and Commercial team.