No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

Public, private agencies rebuked for slow responses to consumer data inquiries

by Jonathan Armstrong and André Bywater
October 5, 2022
in Compliance, Data Privacy
uk ico data access

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations hold about them, but organizations aren’t always timely in answering subject access requests. Cordery’s Jonathan Armstrong and André Bywater discuss recent UK actions and explore methods for ensuring companies remain compliant with consumer data requests.

The EU and UK GDPR (and the UK Data Protection Act 2018 in the UK) allow individuals to make subject access requests (SARs) to organizations in order to obtain information about the personal data held about them by organizations, subject to certain exceptions.

Once an SAR is received, an organization must usually provide the information requested without delay — and at the latest within one month of receiving the request. If, however, an SAR is complex or the individual has made numerous requests, the organization may extend the period of compliance by a further two months but must inform the individual of the extension within one month of receipt of the request and explain why the extension is necessary.

Aggrieved individuals can make an official complaint to the Information Commissioner’s Office (ICO) about an organization’s handling of an SAR, and the ICO will make a determination as to whether the organization is in violation of the law, as well as what actions will be taken against the organization.

Recent ICO actions

After undertaking investigations, the ICO determined that seven UK organizations repeatedly failed to meet the relevant SAR response deadline. As a result, in many cases, people making the SARs had suffered significant distress.

The seven organizations were identified following a series of complaints in relation to multiple failures to respond to SARs for copies of personal information collected and processed by these organizations, either within the legal deadlines timeframes or at all.

The ICO undertook regulatory action against the following organizations:

  • Ministry of Defense (MoD): The ICO issued a reprimand to the MoD following an identified SAR backlog dating back March 2020. Despite the MoD setting up a recovery plan, the backlog had continued to grow and stood at around 9,000 SAR requests waiting for a response, meaning that, on average, people have typically waited for over a year.
  • Virgin Media: Over a 6-month period in 2021, Virgin Media received over 9,500 SARs, 19% of which were not responded to during the legal timeframe. The ICO accordingly issued a reprimand.
  • Home Office: The ICO issued a reprimand to the Home Office because, between March 2021 and November 2021, the Home Office had a backlog of just under 21,000 SARs that had not be responded to within the legal timeframe, and, as of July 2022, there were just over 3,000 unanswered SARs outside the legal timeframe.
  • London borough of Croydon: From April 2020 to April 2021, the Croydon Council had responded to less than half of SARs within the legal timeframe, meaning that 115 residents had not received a response. The ICO accordingly issued a reprimand.
  • Kent Police: From October 2020 to February 2021, Kent Police received over 200 SARs, 60% of which were completed within the legal timeframe. However, some of the remaining SARs were reported to have taken over 18 months. As of May 2022, more than 200 SARs were overdue. The ICO accordingly issued a reprimand.
  • London borough of Hackney: For the period of April 2020 to February 2021, the Hackney Council did not respond to over 60% of the SARs submitted within the legal timeframe. The oldest SAR was over 23 months. The ICO accordingly issued a reprimand.
  • London borough of Lambeth: Between August 2020 and August 2021, the Lambeth Council received 815 SARs, only 53% of which were responded to within one month. The ICO accordingly issued a reprimand.

The ICO has ordered these organizations to make improvements between three and six months or face further possible enforcement action.

Key takeaways

Turning around a SAR within the legal timeframe may be a challenge, but it is a compliance obligation that an organization must nevertheless meet. Otherwise it may face regulatory investigation, which will take up resources, and it may face regulatory action, depending on the outcome of investigations. Individuals could also seek financial compensation from organizations where those individuals’ SARs have not been handled properly and they consequently experienced distress.

To aim for compliance, organizations should:

  • Make a note of when a SAR was received and when the time limit will end.
  • From the moment the SAR is received, not alter personal data to prevent its disclosure to the individual (under UK data protection rules, this constitutes a criminal offense).
  • Design efficient policies and procedures to deal with SARs.
  • Train staff on how to handle SARs.

This article was first published at Cordery.com. It is republished here with permission.


Tags: Data GovernanceGDPR
Previous Post

Consumers and Federal Regulators Continue Fight Against Greenwashing

Next Post

Inside Job: How Businesses Can Protect Valuable Trade Secrets

Jonathan Armstrong and André Bywater

Jonathan Armstrong and André Bywater

Jonathan Armstrong is a partner at Cordery Compliance. He is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counseled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multinational corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).
André Bywater is a partner at Cordery Compliance. He is a commercial lawyer with a focus on regulatory compliance, processes and investigations. His practice has engaged both the private and public sectors. He was Brussels-based for many years, focusing on a multitude of EU issues during which time he worked across Europe and beyond. He has assisted and advised mainly European and U.S. in-house counsel and other company personnel. Further, he has also addressed a variety of legal matters in the context of EU-funded projects building the expertise and capacity of government ministries and agencies in Central and Eastern Europe and further afield.

Related Posts

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

Next Post
trade secrets

Inside Job: How Businesses Can Protect Valuable Trade Secrets

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT