Right of Access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
We all know about the one month time-frame to respond, it’s set in Article 12 of the General Data Protection Regulations (GDPR), but when does the clock start?
Well until recently the Information Commissioners Office (ICO), which regulates the legislation said:
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. [wording taken from archived web page live on December 21 2018]
But now the wording has altered, by one word:
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
Okay it’s removed one word, but the implications could be vast for organisations that receive multiple requests and have already programmed their systems according to the older wording of the guidance.
eNaycH took a few hours looking at the changes and applied a couple of scenarios over what the landscape could look like and would suggest organisations plan well as in some instances there will be only 15 working days to reply, based on the 2019 calendar.
Looking at purely national holidays in 2019, we’re presented something along these lines, but must also bear in mind any early closing of offices, which has not been incorporated in the example.
This example is perhaps the best to show the potential loss of workdays to respond to a Data Subject Access Request, as above it has not taken into account any early closing of offices.
The ICO appears to have adopted case, law namely the European Regulation 1182/87 and a court case dating back to 2004 but one is still left wondering whether such a change on the regulators own website should have been highlighted a little more?
Thank you goes to the Linkedin Data Protection Community group for sharing the information.
Does your organisation have a Data Subject Access Request calendar that it relies on? Do you believe that one would be beneficial? If so, please use the contact form to let eNaycH know and perhaps, with time we’ll be able to publish one.