April 30, 2020

How long do we have to respond to a GDPR request?

This applies to:

The GDPR requires that each of the above scenarios be responded to within a month – and the ICO recommends that the ‘month’ period is calculated as follows:

  • Take the date of the day following the one on which the request is received
    • So if the SAR arrived on the 23rd of the month, the applicable start date is deemed to be the 24th of that month
  • Using that date, apply it to the next month as the deadline by which the SAR response must be sent.
    • So if the applicable start date is the 24th of a month, the deadline is the 24th of the following month
  • Thus, this disregards whether days are working days or not.
  • Thus, if the SAR is received on 27th June, then the deadline is 27th July
  • IF there is no such day in the following month, you should go to the first day of the month after that
    • So if the SAR is received on 31st January, the deadline is 1st May (because there is no such day as the 31st of February)
  • If the deadline date thus determined is a weekend or public holiday, then the following day becomes the deadline date.
  • As this means there will be variations at different times of year, it is suggested that a 28 day period is chosen and utilised if the organisation wishes
    • This has the benefit of a bit of leeway built in so that in the event of a day’s delay, this should not be a problem

Note that this is the approach adopted by the ICO and while other approaches may be appropriate, this would likely be the version deemed best practice unless you had good reasons (laid out in advance) to vary from this.

Secure Business Data

We are here to help you secure your business data using cutting edge technology.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram