ICO clarifies GDPR Subject Access Request time limit pause in updated guidance

The Information Commissioner’s Office in the UK has updated its guidance on the right to access, including clarifying the circumstances in which the one-month time limit clock can be paused.

The new version of the guidance has been published following a consultation that began last December.

The guidance makes it clear that an organisation in some circumstances can ‘stop the clock’ on the required one-month time limit for responding in order to seek clarification from the individual making the request. The ICO has clarified this in the guidance following feedback from organisations that they often didn’t have enough time to respond.

The ICO warns however that organisations should not seek clarification “on a blanket basis” and should only do so if they genuinely need the clarity in order to process the SAR or if they hold a large amount of information about the subject.

The guidance provides fresh information about how to determine whether a request is ‘manifestly excessive’, and therefore not eligible for a response. The ICO says that all circumstances have to be taken into account including the nature of the information requested, the context of the request, the nature of the relationship between the organisation and the individual, whether a refusal to provide the information will damage the subject, available resources and whether the request repeats or overlaps with other requests.

The ICO also clarifies what can be taken into account when charging an administration fee for responding to excessive, unfounded or repeat requests. Controllers may take into account the costs of photocopying, printing, postage and any other costs involved in transferring the information to the individual, as well as the costs of equipment and supplies and the time required by staff to provide a response.

Anulka Clarke, Deputy Director of Regulatory Assurance at the ICO, said: “The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services.”

She added that the ICO is planning to release a “suite of resources” including a simplified SAR guide for small businesses.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.