GDPR bitesize – when can an employer justify extending the time limit for responding to a DSAR?

United Kingdom

Under the Data Protection Act 1998, a data controller had to respond to a data subject access request (DSAR) within 40 days of receipt with no option to extend this period. This changed under the GDPR and a data controller must now respond “without undue delay and in any event within one month of receipt of the request”. That period may be extended “by two further months where necessary, taking into account the complexity and number of the requests.” So when can an employer justify using the two month extension to the time required to respond?

It’s important to remember that the obligation is to respond to a DSAR “without undue delay” which means that in some circumstances an employer would be expected to do this well within a month of receipt. 

An employer is likely to process a very large amount of workforce personal data. Factors which may make responding to a DSAR a particularly onerous exercise could include:

  • the time period the request covers;
  • the wide nature of the request;
  • the number of potential custodians that need to be contacted;
  • the need to redact large amounts of third party personal data or under the relevant exemptions; and
  • the number of systems that need to be accessed and searched (for example, email archives, software applications used to store appraisals, HR information, payroll etc.).

However, whilst all of the factors set out above could potentially make responding to a DSAR a time consuming and complex exercise, it should not be assumed that they will justify the two month extension in their own right.  The GDPR provides that the period for responding can be extended only where this is “necessary” and an employer should be ready to explain and document why this is the case.  In any event, it will still need to let the individual know within one month of receiving the DSAR that it will require the two month extension in which to respond and the reasons for this.

In its guide to the GDPR, the ICO states that its view is that it is unlikely to be reasonable to extend the time limit for responding to a DSAR if:

  • it is manifestly unfounded or excessive (which may seem counter-intuitive, but this would actually be grounds for a data controller to refuse to comply, rather than to extend);
  • an exemption applies; or
  • the data controller is requesting proof of identity before considering the request.

This suggests that upon receipt of a DSAR a data controller is expected to assess quickly how (or if) it is going to respond to the DSAR and cannot simply use the period of extension to buy itself time to consider its position.

In practical terms, it is clear that the data protection regulators expect data controllers to engage in dialogue with the individual making the DSAR, where the scope of the request is very wide, in the hope that it can be narrowed down whilst still satisfying the individual.

In our experience to date, there has been little resistance from individuals when employers have justifiably sought an extension of time to respond to a DSAR and open and productive dialogue is likely to assist with this.  We are not aware of any action yet being taken by the ICO where a data controller has unjustifiably sought to apply the extension, but it is early days in terms of enforcement under the new regime and this is likely to be a developing area.

Any steps that an employer can take to streamline its processes for  responding to a DSAR makes good business sense, not only from a data protection compliance perspective, but also in terms of minimising management time spent dealing with it.  In particular, employers should train staff on recognising a DSAR bearing in mind that under the GDPR this can be made verbally and that time limits for responding start to run from the date of receipt.  Clear processes should also be in place so those in receipt of a DSAR know the next steps to take.  Finally, limiting the personal data that is processed to only that which is necessary and making sure that policies around retention and deletion are adhered to in practice - as is required by the GDPR principles - means that responding to a DSAR should become an easier process over time.