Under the old regime, organisations had 40 days in which to respond, and could charge a fee of £10. Now, the response must be provided within a month, and fees can only be charged in exceptional situations.
So what can you do to make your life easier? There are some possibilities under the new legislation.
Where the SAR is a complex request, or a multiple request, you may be able to extend your time for responding by up to two further months. You have to inform the individual, within one month of the receipt of the SAR, of the time extension and the reasons why the extension is necessary. This option should not be used as a matter of course, but only in exceptional situations. Bear in mind that the individual may choose to complain to the Information Commissioner about the extension – which could involve you in more wasted time and costs.
If you can demonstrate that the SAR is “manifestly unfounded or excessive” then you can decline to comply with the SAR altogether, or to agree to comply only if the individual pays a reasonable fee that reflects your administrative costs in responding to the SAR. Again, this option should be used sparingly.
There is some information that you are not required to provide in response to an SAR, including:
You can make your life easier by taking some simple steps when managing personal data. These include:
Lupton Fawcett offers a half-day training course “Subject Access Requests under the GDPR – making your life easier” that deals with these issues in more detail. For further information contact Louise Connacher on 0113 280 2108.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.