New ICO SAR Guidance: Why Employers Must Not Get Caught Out

Understanding the Right of Access

The Information Commissioner’s Office (ICO) recently issued new guidance on Subject Access Requests (SARs), emphasising the need for employers to handle them correctly and promptly. Failure to comply can result in fines or reprimands. This guidance ensures businesses are not caught up in common mistakes, such as overlooking informal requests or misunderstanding response deadlines.

Lessons Learned:
UK employers must prioritize SAR compliance by recognizing valid requests, including those made informally, and adhering strictly to response deadlines. Solutions like DSAR.ai can help streamline SAR management, ensuring timely, error-free responses and avoiding legal consequences.

In May 2023, the Information Commissioner’s Office (ICO) released crucial new guidance to help employers navigate the complexities of responding to Subject Access Requests (SARs). The right of access under the UK General Data Protection Regulation (GDPR) allows individuals to request personal information held by their employer. With over 15,000 SAR-related complaints to the ICO last year, this new guidance is a crucial reminder that businesses must avoid getting caught by mishandling SARs.

Why This Guidance Matters

Many employers misunderstand the legal requirements around SARs. For instance, organisations might be unaware that requests can be submitted informally via email or social media without using specific phrases like “Subject Access Request.” Once received, employers are legally obligated to respond within one month, though this period can be extended by up to two months if the request is particularly complex. Failing to meet these deadlines could lead to fines or reprimands from the ICO.

According to Elanor McCombe, Policy Group Manager at the ICO, businesses often underestimate the importance of responding to SARs promptly, placing them at risk of non-compliance. The new guidance ensures that employers are clear on their obligations, helping them avoid common mistakes like missing informal requests or misjudging the complexity of the request.

Key Takeaways for Employers

The updated guidance emphasises several critical points:

  1. Time-sensitive responses: Employers must respond to SARs within one month. Failing to do so can result in legal action, as timely access to personal data is a right enshrined in law.
  2. Informal requests are valid: Employers cannot ignore SARs simply because they were submitted informally through social media or without specific legal jargon. Any request for personal information must be treated as a SAR.
  3. Complexity considerations: The response time can be extended if a SAR involves a significant volume of data or affects multiple parties. However, employers must notify the requester of delays within the initial one-month period.

The Risks of Non-Compliance

From April 2022 to March 2023, the ICO handled nearly 16,000 SAR-related complaints, underscoring how common compliance issues are. In some cases, organisations have been reprimanded or fined for failing to fulfil SAR obligations. Plymouth City Council and Norfolk County Council were recently criticised for not responding to timely information requests, a cautionary tale for other employers.

Ensuring Compliance

For businesses struggling to keep up with SAR requests, the ICO’s guidance reminds them that they need effective processes in place. Solutions like DSAR.ai offer a streamlined way to handle the administrative burden of SARs, from tracking deadlines to securely handling personal data requests. Automating the SAR process ensures that requests are managed efficiently, reducing the risk of human error and non-compliance.