On October 21, 2020, the Office of the UK Information Commissioner (“ICO”) published its updated guidelines on the data subject’s right of access under Article 15 of the EU General Data Protection Regulation (“GDPR”). The ICO submitted a draft of the guidelines for consultation in December 2019 and added additional content to the guidelines in response to the feedback received. The guidelines provide organizations with more extensive advice than was provided in the previous ICO guide and include examples to show how GDPR requirements will apply in practice.
In the guidelines, the ICO emphasizes the importance of taking a proactive approach to responding to access requests in order to streamline the response process and increase public confidence in an organization. The ICO highlights that the preparatory steps that an organization should take depend on a number of factors including (1) the type of personal data the organization is processing, (2) the number of requests the organization receives, and (3) the organization’s size and resources. Depending on these factors, preliminary steps may include creating (1) property registers to determine where data is being stored, (2) checklists to ensure a consistent approach to responses, and (3) retention and deletion policies to ensure that personal data are not available longer than necessary.
Following the rise in the number of third-party service providers making access requests on behalf of individuals, these requests will be specifically addressed in the ICO Guidelines, noting that the service provider is responsible for providing evidence that they have the appropriate authority to to act on behalf of the individual. If the controller cannot display the access request without paying a fee or logging into a service, it is considered to have not received the access request and is therefore not required to respond.
The guidelines also explain the following points:
- If a controller needs clarification from the data subject regarding an access request, the controller can stop the clock until a response is received. This relieves those responsible for processing from answering access requests within the period of one month specified by the GDPR, if clarification is really necessary.
- An Obviously Excessive Request is one that is clear or obviously inappropriate, depending on whether the request is proportionate when balanced with the burden or cost associated with processing the request. This is a broader definition than what the ICO used in the past.
- When charging a fee for responding to excessive, unfounded, or repeated inquiries, controllers may consider the cost of photocopying, printing, postage and other costs associated with providing the information to the individual, as well as the cost of equipment and supplies and the time it takes staff to respond.
The ICO stated that it plans a number of resources to assist in requesting topic access. This includes a simplified guide for small businesses that highlights key points from the ICO’s more detailed guidance.