The ICO has confirmed a small, but important, change to the time limits for responding to subject access requests (SARs) under the GDPR. Calculation of the one-month time limit should begin from the date on which the request was received, not the day after. Therefore, if a request is received on 3^rd September, the deadline for responding will be 3^rd October (rather than 4^th October, as previously understood). The ICO update on the subject, which follows a (2004) CJEU decision on time limits, is here and the guidance on subject access rights has been updated to reflect this.

Continue Reading Subject Access Requests – What does ‘one month’ mean?

In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime.  We expect that the ICO will update its Code of Practice shortly.   Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR.
Continue Reading GDPR’s Impact on Employee Data Subject Access Requests in the UK

One of the new obligations introduced by the General Data Protection Regulation (GDPR) is to prepare a data protection impact assessment (DPIA) for certain types of processing operations – i.e., those which are likely to result in a high risk. To put it simply, a DPIA is a process for building and demonstrating compliance with the GDPR, which complements the new focus on accountability, privacy by design and a far more risk-based approach.
Continue Reading Polish Supervisory Authority Publishes a Proposed “Black List” Recommendation on Processing Activities That Require a DPIA