UK: Data Subject Access Requests – Change To Time Limit

Employers, take note. In an unusually understated fashion (no formal announcement has been made), the Information Commissioner's Office (ICO) has recently changed its interpretation of Article 12 of the General Data Protection Regulation (GDPR), which sets a one month timescale for employers to respond to a data subject access request (DSAR).

A DSAR enables individuals, either in writing or verbally, to access their personal data within a set timeframe and although, in theory, it's a small regulatory change, in practice it's an important (and potentially costly) one, which all employers should be aware of.

What has been changed?

Previously (actually until very recently), the ICO said you should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. Therefore, if a DSAR was received on 3^rd September, the deadline for responding would have been 4^th October.

Now the ICO is saying you should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month. This means that if a DSAR is received on 3^rd September, the deadline for responding will be 3^rd October (not 4^th October as previously understood).

Why the change of heart from the ICO?

Well, it is (rather surprisingly!) down to a dated European Regulation 1182/71, which sets out the rules applicable to periods, dates and time limits, and a 2004 Court of Justice of the European Union case (C-171/03, Maatschap Toeters and M.C. Verberk v Productschap Vee en Vlees), which explored how the period of time fixed by the law should be calculated.

The court case referred to Article 3 of the Regulation and the Latin maxim with which it accords: dies a quo non computatur in termino, dies ad quem computatur. It clarifies that the upshot of the Regulation is that the relevant deadline is calculated as the corresponding date in the following month (or the last day of the month if there is no such corresponding date), i.e. a request on 10 January gives a 10 February deadline and a request on 31 August gives a 30 September deadline.

How does this impact employers?

Irrespective of whether you agree or disagree with the ICO's rationale for the change, it is important to consider what this means practically for employers:

• Checking and updating internal procedures (such as a DSAR policy) for handling DSARs.
• Any IT systems which will have been set or programmed according to the previous one month deadline will need to be reset.
• The one month period is now effectively one day shorter – which for some employers will mean getting organised even earlier.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.