Data protection: compliance with subject access requests
The ICO has amended its General Data Protection Regulation: Right of access guidance on the timescale for compliance with a data subject access request (DSAR) when the data controller requests clarification from the data subject.
The start of the one-month period for compliance will no longer be paused until the controller receives the requested information. Similarly, the extended timescale of up to two further months for responding to complex or multiple DSARs is no longer paused. The new timescale will start to run from the date of receipt of the DSAR or, if later, upon receipt of proof of identification.
This is an important change from the guidance published in 2018 and is a divergence from the Subject Access Code of Practice made under the Data Protection Act 1998, which paused the time period until the controller received the information sought from the individual.