Share on facebook
Share on twitter
Share on linkedin

Several Organisations Reprimanded by the ICO for Not Complying with Subject Access Requests

Becky Nicholson

Senior Data Privacy Consultant

Becky is part of the team at Bridewell which delivers General Data Protection Regulation (GDPR) and Data Privacy services to organisations globally. A highly-qualified data privacy expert, Becky holds accreditations from CIPP/E, CIPM, is a OneTrust Certified Professional and a Certified ISO 27001 Lead Auditor. With Bridewell, she has assisted organisations to embed data protection into the full lifecycle of projects from planning and design through to management and governance. Becky has always managed to address the complex privacy challenges presented across multiple industries such as pharmaceutical, car manufacturing, local government, tourism, finance, not-for-profit, clean energy and investments.

Yesterday the ICO named and shamed seven organisations for not responding to individuals when they asked for their information through a Subject Access Request (SAR).

The ICO received a number of complaints about these seven organisations relating to various failures in responding to SARs. These ranged from missing the deadlines, withholding information to not responding at all.

Some of figures are quite staggering:

  • Ministry of Defence has a SAR backlog of 9,000 requests with a waiting time of 12 months.
  • The Home Office has 3,000 unanswered SARs outside the legal time limit.
  • Virgin Media failed to respond to 1330 SARs within the timeframe.

Organisations have 30 calendar days to respond to a SAR, this may be extended up to three months and they don’t have to be made in writing.

The seven organisations have been issued a reprimand and have up to six months to make improvements.

The naming and shaming is likely to be more detrimental than the ICO’s slap on the wrist. That said, only Virgin Media is a company of choice, the others, being government organisations, can’t always be avoided.

What Does My Organisation Need to Do?

  1. Awareness and training – make sure everyone in the organisation knows how to recognise a rights request and what to do with one.
  2. Keep a record of all requests received.
  3. Make sure to have robust and effective verification procedures for individuals exercising their rights.
  4. Make sure everyone in the organisation knows the ‘Rights Request Procedure’ and where to find it.

If you have any further questions around how to validate or fulfill data subject rights requests, please contact us as and we’ll be happy to help.

Related Posts