The ICO is certainly having a busy period with a long draft guidance document on dealing with data subject access requests also published for consultation this week. The consultation closes on 12 February. In the meantime, the following are useful points to note:
- The guidance now helpfully includes advice on dealing with the third party portals and apps that have popped up following GDPR. The guidance makes it clear that, if you receive a request through one of these and you can only respond by paying a fee or signing up, then you have not 'received' the request. Good news!
- Useful detail around what is "complex" including work required for redaction which we all know can take forever. This could justify an extension.
- Confirmation that you do have to search emails including those not in 'live systems'. A lot of companies still don't think they need to do this...
- Interesting detail around personal data kept on personal devices (often known as 'shadow IT'). The guidance notes that, if staff are using personal devices and this is permitted, they will be covered. Yet another reason to make sure you have tight policies around BYOD and shadow IT!
- There are some useful definitions for what is 'manifestly unfounded' which will be helpful to some - for example those DSAR vendettas and disruption campaigns we have all come across.
- Another reminder that accountability is key so, whatever decisions are made around exemptions and approaches, this needs to be documented.
Following on from our initial GDPR guidance on this right (published in April 2018), the ICO has now drafted more detailed guidance which explains in greater detail the rights that individuals have to access their personal data and the obligations on controllers.