DSARs – ICO publishes new detailed guidance

On 21 October 2020, the ICO published its new right of access detailed guidance setting out its view on the approach to be taken in response to an individual making a data subject access request (“DSAR”) under Article 15 of the GDPR. This follows its consultation of December 2019, which highlighted the need for further clarification on certain aspects of the law, including in particular:

• Stopping the clock for clarification – the new guidance makes clear that, in certain circumstances (where you process a large amount of information about the individual and specific clarification is genuinely required), the clock can be stopped whilst you wait for the individual to clarify their request.

• What is a “manifestly excessive” request – the ICO has broadened the definition clarifying that you need to consider whether the request is “clearly or obviously unreasonable” balanced against the burden or costs in dealing with it and provides further guidance on factors to be taken into account.

• What can be included when charging a fee for excessive, unfounded or repeat requests – the ICO has provided further guidance on what you can take into account when determining a reasonable fee, including the costs of assessing, locating and providing a copy of the information.

We will provide a detailed Insight on the new guidance shortly. Organisations have seen a steady increase in DSARs, whether used as means to check the accuracy of data, support in employment claims or evidence gathering exercise prior to complaints and litigation, and all data controllers should ensure that the relevant individuals within the organisation are aware of the ICO’s approach.