CYFOR Blog

The Information Commissioner’s Office (ICO) provides clarity for data controllers when asking data subjects for clarification on Data Subject Access Requests (DSARs) they’ve submitted.

Recently published guidance from the Information Commissioner’s Office (ICO) includes the ability to “stop the clock” on the one-month deadline whilst data controllers wait for individuals to clarify their request. The move by the UK regulator comes as data controllers face an increase in Data Subject Access Request deadlines since the implementation of the General Data Protection Regulation (GDPR) in 2018. This updated guidance on handling DSARs by the ICO includes welcome advice for data controllers having to deal with DSARs.

Stopping the DSAR clock

If you process large amounts of data about an individual, and clarification is genuinely required in order to respond to the DSAR, you can ask the requester to specify the information their request relates to before directly responding to the request. The time limit for responding to the request is then paused until clarification is received.

The clock is stopped for the number of days that it takes the data subject to respond. For example, if the original one-month deadline were 16 May, and clarification was requested on 21 April, and a response received on 28 April, the new deadline would be 23 May.

If the data subject simply repeats the request in response or maintains a request for “all of the information you hold about me”, you must still comply with their request by carrying out a reasonable search for personal data. If the data subject does not respond at all, you do not have to provide any personal data and can close the request.

For more information on our DSAR services or if you require assistance with handling a Data Subject Access Request deadline, please get in touch with our consultants.