Rest of the worldOur global pages
Close- Global home
- About us
- Global services/practices
- Industries/sectors
- Our people
- Events/webinars
- News and articles
- Eversheds Sutherland (International) Press Hub
- Eversheds Sutherland (US) Press Hub
- News and articles: choose a location
- Careers
- Careers with Eversheds Sutherland
- Careers: choose a location
ICO updates guidance on timescales for responding to individuals’ rights: Date of receipt is ‘day one’
- United Kingdom
- Privacy, data protection and cybersecurity
16-08-2019
What you need to know
UK regulatory guidance has been updated to the effect that the timescale for responding to individuals’ requests (including subject access requests) is one calendar month from the day of receipt of the request, not the day after receipt.
Further detail
The Information Commissioner’s Office (“ICO”) updated their guidance on individuals’ rights yesterday to bring its approach to timescales in line with the approach taken more widely across the EU.
The timescale applies to requests made by individuals under the GDPR, including requests made to exercise rights of access, rectification, erasure, restriction of processing, data portability, objection and rights in relation to automated individual decision-making.
Controllers must comply with requests without undue delay and at the latest within one month of receipt of the request.
There may also be circumstances where the timescale is extended to within one month of receipt of: (i) any information requested to confirm the requester’s identity; (ii) any requested information to clarify the request, or (iii) a fee.
Timescales in subject access requests
In the ICO’s updated subject access request guidance, it states that controllers “should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month… If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month”.
Controllers should also note that it remains the case that if the corresponding date falls on a weekend or a public holiday, your deadline for response can be extended to the next working day.
In terms of timescales, the ICO suggests that for operational or system purposes, it may be useful to adopt a 28 day response period approach to help with consistency and to ensure requests are always responded to within a calendar month.
Action required
We recommend that you should take the following steps to check that your systems and processes are aligned with the GDPR’s requirements and UK regulatory guidance, as needed.
• Identify those areas of your business impacted by requests from individuals to exercise their rights under GDPR. Your Article 30 record of processing activities should help with this exercise.
• Work with business teams, as applicable, to ensure your policies, systems and processes enable requests to be dealt with in accordance with GDPR, including within the applicable timescales.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.
- Assignment of arbitral claims and arbitral awards: uncertain legal landscape in France
- Direction of Travel: Diversity & Inclusion in Financial Services
- ESG Disclosure Regimes in the APAC Region
- Keeping you up to speed: Russian and Belarusian sanctions updates
- Government announces employment law reform proposals
