It's an observation which may have some readers reaching for the world's smallest violin, but it must be difficult sometimes to be a data protection regulator. The purpose of regulation (very generally) is to level the playing field - to put someone in the corner of the "little guy" who has the authority and the influence to bring larger players to heel. But regulation is a two way street, and a canny regulator will always look to ensure that they are not too antagonistic to those they seek to regulate. They perceive (often rightly) that they will achieve more through the carrot of friendly support and guidance than can ever be achieved through the stick of enforcement.
But the danger with that approach is that a regulator can end up being captured by the very system that they are hoping to regulate. Where that happens (>cough< Press Complaints Commission >cough<) confidence in the regulation is eroded and the individuals who the regulator is supposed to be protecting become disillusioned.
One of the battlefields on which this struggle for the allegiance of the ICO has been fought out recently has been in connection with data subject access rights (DSARs). These, as the ICO itself acknowledges in the post linked to below, are fundamental human rights, and often an essential precursor to any other exercise of rights by data subjects - you need to know what data is held about you and what is being done with it, before you can object, or ask for it to be erased or transferred.
GDPR brought with it a more data subject friendly landscape for DSARs. The £10 fee which had been a barrier to exercise this right was removed, time-frames for responses shortened, and the grounds on which a response could be delayed or objected to, narrowed.
The ICO has now taken the opportunity to consult on how these changes have been received and, perhaps unsurprisingly, has discovered that while generally well received by data subjects, the changes have been less popular with data controllers. Hence, a new set of updated guidance, and in the continuing tug-of-war between data subject and controller, a small step taken back in the direction of the controller.
The guidance will repay careful consideration, particularly because there is likely to be quite a lot of very high level reporting that suggests that a range of excuses for non-compliance with DSARs has been resurrected. This change is nowhere near as dramatic, but there is some useful clarity about the circumstances in which a controller might genuinely object to a request, on the grounds of it being manifestly either excessive or unreasonable. That clarity will assist both sides. What will be more unwelcome will be the reintroduction of (limited) circumstances in which a controller might "stop the clock" in responding to a DSAR, in order to seek further clarification.
It will remain to be seen how this renewed opportunity for delay will be used in practice, but it is likely that this latest guidance will be far from the final word on the subject of subject access rights.
The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it’s vital that people have the right to be able to find out what’s happening to their information. More and more people are waking up to the power of their personal data, and are exercising their rights. That’s why, as an organisation, it’s important that you know how to deal with a subject access request (SAR) effectively and efficiently.