July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

ICO Consults on Draft Subject Access Request Guidance

The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February 2020.

Importantly, the ICO recognises some of the issues that businesses are facing in relation to DSARs, in that the guidance:

  • Explains when a request may be considered complex. The guidance states that a large volume of data may add to the complexity of a request, but notes that the volume of data alone is not a reason by itself to consider a DSAR complex;

  • Provides greater clarity on what a business can take into consideration when it is considering the monetary value of a fee. For example, photocopying and printing are generally valid administration costs, but a business cannot charge for the time taken to deal with the request;

  • Includes a section on what businesses should do when a request involves information about another identifiable individual. It provides further guidance on the DPA exception relating to third-party data; and

  • Contains some practical guidance about the DPA exceptions, such as negotiations and management information.

Whilst this is a valuable update from the ICO, which might provide some helpful additional information, it should be noted that it is only a draft for consultation. The ICO is seeking views from stakeholders and the public about the proposed guidance. In particular, it wishes to understand what specific issues businesses have faced in responding to DSARs since the GDPR was implemented in May 2018. If you are interested in responding, please use this link.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 339


About this Author

Emaa Yaltaghian Squire PB Data Privacy Lawyer

Emma Yaltaghian is a member of our Data Privacy & Cybersecurity team. Emma advises clients on all aspects of compliance with the EU GDPR and UK Data Protection Act 2018, as well as the EU ePrivacy rules.

Emma also assists the EMEA Communications Practice by providing regulatory advice.

Emma has successfully project managed numerous data protection compliance projects, including conducting detailed gap analysis and remediation.

Emma has advised clients in data breach scenarios, including cross-border data breaches. She has also advised on whether or not notification...

+44 20 7655 1515