The Information Commissioner’s Office (ICO) has updated its guidance on timescales for responding to data subject individual rights requests. The guidance makes clear that, when calculating the one-month period for response, the day of receipt is day one rather than the day after receipt.
How long do you have to comply with a request?
You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any requested information to clarify the request;
- any information requested to confirm the requester’s identity; or
- a fee (only in certain circumstances).
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
The ICO have also published guidance on manifestly unfounded and excessive requests under the Guide to Law Enforcement Processing.
Link below to the ICO website with the updated guidance:
https://ico.org.uk/for-organisations/guide-to-data-protection/whats-new/