Global menu

Our global pages


ICO updates guidance on timescales for responding to individuals’ rights: Date of receipt is ‘day one’

  • United Kingdom
  • Privacy, data protection and cybersecurity


What you need to know

UK regulatory guidance has been updated to the effect that the timescale for responding to individuals’ requests (including subject access requests) is one calendar month from the day of receipt of the request, not the day after receipt.

Further detail

The Information Commissioner’s Office (“ICO”) updated their guidance on individuals’ rights yesterday to bring its approach to timescales in line with the approach taken more widely across the EU.

The timescale applies to requests made by individuals under the GDPR, including requests made to exercise rights of access, rectification, erasure, restriction of processing, data portability, objection and rights in relation to automated individual decision-making.

Controllers must comply with requests without undue delay and at the latest within one month of receipt of the request.

There may also be circumstances where the timescale is extended to within one month of receipt of: (i) any information requested to confirm the requester’s identity; (ii) any requested information to clarify the request, or (iii) a fee.

Timescales in subject access requests

In the ICO’s updated subject access request guidance, it states that controllers “should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month… If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month”.

Controllers should also note that it remains the case that if the corresponding date falls on a weekend or a public holiday, your deadline for response can be extended to the next working day.

In terms of timescales, the ICO suggests that for operational or system purposes, it may be useful to adopt a 28 day response period approach to help with consistency and to ensure requests are always responded to within a calendar month.

Action required

We recommend that you should take the following steps to check that your systems and processes are aligned with the GDPR’s requirements and UK regulatory guidance, as needed.

• Identify those areas of your business impacted by requests from individuals to exercise their rights under GDPR. Your Article 30 record of processing activities should help with this exercise.

• Work with business teams, as applicable, to ensure your policies, systems and processes enable requests to be dealt with in accordance with GDPR, including within the applicable timescales.