Companies are being warned to ensure they comply with subject access requests within the one month time-frame or face a serious kicking from the Information Commissioner’s Office for being in breach of GDPR.
The move follows news that the ICO has slapped the Metropolitan Police with two enforcement notices after the service confessed it has a backlog of over 1,700 requests for copies of data.
The so-called “right of access” is a key tenet of GDPR, and allows individuals to obtain a copy of the personal data held on them through a subject access request (SAR). Individuals can make a request verbally or in writing and organisations have one month to respond.
However, the Met’s woeful performance has seen as many as 1,169 requests remain unanswered after a month, with a further 689 being more than three months old.
The ICO says the two enforcement notices – one covering both the Data Protection Act 2018 (and by extension GDPR) and another covering the Data Protection Act 1998 – are necessary, as some of the requests were made before the GDPR D-Day of May 25 2018.
In a blog post, ICO director of data protection complaints and compliance Suzanne Gordon said the issue was a “cause for concern” and “evidence of a systemic failure to respond to subject access requests”. Ultimately, the Met had “failed in its data protection obligations”, Gordon blasted.
The ICO has given the Met three months to clear the backlog or face further sanctions, including a potential fine under GDPR. It has also been ordered to make changes to its internal systems and policies to ensure that individuals are kept up to date on any delays to their SAR, and to provide information on how the backlog is being addressed.
While the regulator did acknowledge that GDPR has brought with it an “unprecedented rise in demand” for SARs, it seems to have run out of patience with the Met.
The ICO said that due to the “fluctuating backlog” of requests, and because of a number of meetings and correspondence with the organisation that ultimately proved to be “ineffective”, it had decided that enforcement action was required to “encourage compliance”.
SAR failings are viewed very seriously by the ICO, as delays not only prevent individuals from understanding how their data is being processed by an organisation, they also prevent individuals from exercising additional rights based on that information.
The ICO is urging all organisations – both public and private sector – to review their processes for handling SARs, and ensure they are able to respond within the statutory time limit…or else.
Spotify ad launch eclipsed by fresh GDPR investigation
Apple, Spotify, Google and Netflix face GDPR data probe
‘I don’t believe it’…young make most GDPR complaints
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR
Google GDPR shortcomings leaving ad clients exposed