ICO SAR Guidance Summary

The ICO has observed a significant rise in complaints concerning Data Subject Access Requests (DSARs). Between April 2022 and March 2023, the ICO received 15,848 complaints, highlighting ongoing challenges with compliance. In response, the ICO has taken enforcement action, such as reprimanding organisations for failing to meet DSAR deadlines. For instance, Norfolk County Council was reprimanded in May 2023 after responding on time to only 51% of DSARs between April 2021 and April 2022.

When Can You Withhold Information from a DSAR Request?

Under UK GDPR, organisations can withhold information from a Data Subject Access Request (DSAR) under specific circumstances. These exemptions must be applied carefully and justified on a case-by-case basis. Reasons include protecting third-party data, legal privilege, or manifestly excessive requests. Understanding and applying these exemptions correctly is vital for ensuring compliance while safeguarding sensitive information.

Navigating Special Cases in Personal Data for DSARs

Special categories of personal data—such as unstructured manual records, health, educational, and social work data—come with specific challenges when responding to Data Subject Access Requests (DSARs). UK businesses and public authorities must be aware of the unique compliance requirements for each category, particularly regarding cost limitations, search obligations, and exemptions, to avoid falling short of GDPR standards.

Understanding the Right of Access

The right of access, also known as a Subject Access Request (SAR), allows individuals to request their personal data from an organisation. Businesses must respond within one month or up to three months for complex requests. Compliance is essential to avoid legal risks and ensure transparency in data handling.

New ICO SAR Guidance: Why Employers Must Not Get Caught Out

The Information Commissioner's Office (ICO) recently issued new guidance on Subject Access Requests (SARs), emphasising the need for employers to handle them correctly and promptly. Failure to comply can result in fines or reprimands. This guidance ensures businesses are not caught up in common mistakes, such as overlooking informal requests or misunderstanding response deadlines.

The Cost of Non-Compliance: Labour Party Penalised for DSAR Failures

The ICO fined the Labour Party for failing to respond to Data Subject Access Requests (DSARs) promptly. This case highlights the risks of non-compliance with GDPR for UK organisations, emphasising the need for efficient, compliant DSAR handling. Automated solutions, like DSAR.ai, can help businesses avoid costly fines by streamlining the process and reducing human error.

Revolutionising Subject Access Requests: Decoding the CJEU’s Landmark Judgment

On 4th May, the Court of Justice of the European Union (CJEU) delivered a pivotal judgment in case C-487/21 (Österreichische Datenschutzbehörde v CRIF GmbH), which significantly impacts data protection and the rights of data subjects.

Unlocking the Secret to Processing Data Access Requests: A Step-by-Step Guide

In this article, we provided a detailed guide on the steps that organisations must follow when processing Data Subject Access Requests (DSARs) in compliance with the General Data Protection Regulation (GDPR).

Unlocking the Secrets of Efficient DSAR Processing: A Guide for UK Companies

Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, companies in the UK have had to adapt their data protection practices to comply with the new regulations.

Data Access: The Painful Truth of High-Level Effort and Hidden Costs

In the age of big data, the General Data Protection Regulation (GDPR) has strengthened the rights of individuals over their personal data. One of these rights is the right of access, also known as Data Subject Access Requests (DSARs).