Until the General Data Protection Regulation (GDPR) came into force in May 2018, employers typically had 40 days in which to provide their employees with a response to a data subject access request (DSAR). Under data protection laws, employees are entitled to request a wide variety of information relating to the data their employers store about them. On occasion, responding to these DSARs can prove labour-intensive and time-consuming. As a result, some employers were, no doubt, disappointed when the normal deadline for providing a response was reduced to one month.
Following a recent decision in the European Court of Justice, the Information Commissioner’s Office has refined its guidance on how employers should calculate the expiry date for the one-month deadline. Previously, it was believed that ‘day one’ of the one month period fell on the day after the DSAR was received. The ICO has now confirmed that ‘day one’ falls on the date of receipt itself. In practical terms, this means that if an employer receives a DSAR on 6 September, it must normally provide a response by no later than 6 October.
Whilst this development is important, it’s worth bearing in mind that all requests should actually be answered ‘without undue delay’. By the same token, if you believe that the nature and extent of the request means you will need more than a month in which to respond, it is possible to extend the deadline by a further two months.
All in all, these sorts of situations can prove complicated and it pays to make sure you understand your GDPR rights and obligations.
If you have received a DSAR and are wondering whether, when and how to respond, please get in touch for further advice.