The ICO, Britain’s privacy authority, recently issued reprimands to seven organizations citing multiple failures of the organizations to respond to data subject access requests either within the statutory time frame or at all. Recognized as one of the fundamental rights under numerous data protection laws, data or subject access requests (“DSARs”) provide a mechanism by which a consumer can request that an organization explain what personal information it has about that consumer, and how such information is used and shared. This requirement exists under UK GDPR, mirroring the GDPR requirement.
Organizations generally have thirty to forty-five days to respond to a DSAR. That time period may be extended under certain circumstances. The ICO has increased its focus on DSAR violations. One of the cited organizations, Virgin Media, received over 9500 SARs over a six-month period in 2021, but according to the ICO, failed to respond to 14% of them during the statutory timeframe.
The ICO emphasized its continuing expectation that DSARs be handled appropriately and in a timely fashion in order to “encourage[s] public trust and confidence and ensure[s] organizations stay on the right side of the law.”
Putting It Into Practice. These cases are a good reminder to process DSARs in a timely manner, as those with access request rights will be expanding in the near future. For those entities who receive significant numbers of requests, having a streamlined process in place will help review and respond to requests.