ICO Issues Enforcement Notice for SAR Backlog

16 July 2019

Author: Rosanne Brennan

Security

The Information Commissioner’s Office (ICO) has issued enforcement notices against the Metropolitan Police Service (MPS) for failing to respond to data subject requests for access to their personal information (SARs) in accordance with Article 15 GDPR.

MPS had notified the ICO of an “unprecedented rise” in the number of requests from the public to access their personal data since the introduction of GDPR on 25th May 2018, with almost 68% of the 1727 open requests were outside of the statutory time frame of one month for a response, with almost 40% being over 100 days old (figures as at 13th June 2019).

The enforcement notice stated that the backlog is “…a cause of significant concern for the Commissioner…” and that damage or distress to the individual is likely as a result of being denied the opportunity of properly understanding what personal data may be processed about them by MPS.

The action required by ICO included making individuals aware of delays in response times and keeping individuals informed of plans as well as requiring MPS to carry out changes to its internal systems, procedures and policies that are necessary to ensure future SARs are identified and complied with in accordance with GDPR - MPS was given a three month deadline to do so.

The ICO’s action in this case demonstrates that it has little sympathy for organisations who have to deal with an increasing number of requests from individuals to exercise their rights under data protection legislation regardless of any lack of resources to address this. Indeed, larger organisations both in the public and private sector might be particularly vulnerable to this type of issue.

Carson McDowell are regularly advising clients in relation to the exercise of data subject rights, including managing appropriate responses to SARs as well as developing policies and procedures to address this area of GDPR. If you would like to discuss any issues regarding data subject rights or data protection within your business or organisation, please email [email protected]

Back