Under GDPR, organisations now have only ONE MONTH to provide information to a data subject from the date their request is received and information must be provided FREE OF CHARGE.

Exceptions to this and where a REASONABLE FEE may be charged is if:

  • the request is unfounded multiple times
  • it is made excessively or repeatedly
  • more copies of the same information are required

Charges cannot be made against any other subsequent access requests.

The fee itself must be based on the administrative costs associated in providing the requested information

There may be cases where an organisation may need to have an extension to the one month timescale such as:

  • the request is complex in the retrieval of information
  • multiple requests have been made
  • there is a large amount of individual data

If an extension is necessary, the organisation has ONE MONTH upon receipt of the request to explain why this extension is required to the data subject and the extension may be extended by a further TWO MONTHS.

One major change to this Right of Access is the removal of the £10 subject access fee which exists under current Data Protection Act (1998), where the response time is 40 days and the fee is £10.

In the case of large amounts of individual data, the GDPR allows an organisation to ask the data subject making the request to specify exactly what they are looking for and the information their request relates to.

The GDPR does not exempt requests that relate to large amounts of data.  It is up to the discretion of the organisation to decide if the request is unfounded or excessive.  This means that data subjects are still able and allowed to make a request for large amounts of data, however if the organisation believes that the request is excessively large that it would take more time than the full extension of an additional 2 months to fulfil, the organisation could refuse the request at it’s own discretion.

Deborah Thompson