The General Data Protection Regulation [GDPR] introduced an accountability principle so data controllers are required to handle personal data appropriately and effectively and are able to show this through their practices and procedures. The Information Commissioner’s Office (ICO) has announced that it intends to launch an accountability toolkit in 2020 to help organisations comply with this accountability principle.
The toolkit is to help show the ICO’s expectations as a reference point.
The ICO is currently consulting on its proposed toolkit. This is due to close on 9 December 2019. Please see following link for more details:
Subject Access Requests
Earlier this year, new guidance was published by the ICO which impacts on the timescales for responding to employees’ subject access requests. The clock starts running from day 1 (i.e. the day the request is received). It was previously thought that the one month started from the day after receipt. Employers should update their policies in line with the new guidance.
Please see link to guidance below:
Although the basic rule is to respond within one month of receipt of a subject access request, this can be extended by up to two months where necessary, depending on the complexity and number of requests. Any extension must be communicated to the employee within the initial one month together with reasons for the extension.
Don’t get caught out!