On October 21, 2020, the Office of the UK Information Commissioner (“ICO”) published its updated guidelines on the data subject’s right of access under Article 15 of the EU General Data Protection Regulation (“GDPR”). The ICO submitted a draft of the guidelines for consultation in December 2019 and added additional content to the guidelines in response to the feedback received. The guidelines provide more extensive advice to organizations than was provided in the previous ICO guide and include examples to show how the requirements of the GDPR will apply in practice.

In the guidelines, the ICO emphasizes the importance of taking a proactive approach to responding to access requests in order to streamline the response process and increase public confidence in an organization. The ICO highlights that the preparatory steps an organization should take depend on a number of factors including (1) the type of personal data the organization is processing, (2) the number of requests the organization receives, and (3) the organization’s size and resources. Depending on these factors, preliminary steps may include creating (1) property registers to determine where data is being stored, (2) checklists to ensure a consistent approach to responses, and (3) retention and deletion policies to ensure that personal data are not available and kept longer than necessary.

After the rise in the number of third-party service providers making access requests on behalf of individuals, these requests are specifically addressed in the ICO Guidelines, with a note that it is the service provider’s responsibility to provide evidence that they have the appropriate authority to to act on behalf of the individual. If the controller cannot display the access request without paying a fee or logging into a service, it is considered to have not received the access request and is therefore not required to respond.

The guidelines also explain the following points:

  • If a controller needs clarification from the data subject regarding an access request, the controller can stop the clock until a response is received. This relieves the person responsible for processing from answering access requests within the period of one month specified by the GDPR, if clarification is really necessary.

  • An Obviously Excessive Request is one that is clear or obviously inappropriate, depending on whether the request is proportionate when balanced with the burden or cost associated with processing the request. This is a broader definition than what the ICO has relied on in the past.

  • When charging a fee for responding to excessive, unfounded, or repeated inquiries, controllers may consider the cost of photocopying, printing, postage and other costs associated with providing the information to the individual, as well as the cost of equipment and accessories and the time it takes staff to respond.

The ICO stated that it plans a number of resources to assist with requesting subject access. This includes a simplified small business guide that highlights key points from the ICO’s more detailed guidance.

Copyright © 2020, Hunton Andrews Kurth LLP. All rights reserved.National Law Review, Volume X, Number 300