The new General Data Protection Regulations come into force 25th of May 2018



The new European-wide data protection regulations come into force on 25 May 2018.

Of special relevance to consumers are the beefed up disclosure rules which in principle make it free to request disclosure of your personal data. Furthermore, data controllers/processors are required to comply with the subject access request within a maximum of one month rather than the 40 days which has existed so far.

Of course the 40 days was a maximum 40 days. The one month is a maximum of one month but I suppose that we can look forward to companies using up the available time regardless of whether it is necessary or not. In the exactly the same way that most companies treat the eight week maximum for producing a final response prior to an ombudsman complaint as a norm rather than a maximum.
We would recommend that anyone who sends an SAR to any company and which fails to comply within 30 days, makes an immediate complaint to the Information Commissioner. We recommend that complaints should be sent off as soon as the one-month time limit is exceeded by a single day. Of course we will have to wait and see how rigourous the Information Commissioner is about protecting citizens and their data rights as opposed to acting in the interests of business which has been the data protection culture in the United Kingdom so far.

If the company from which you are seeking a data disclosure attempts to require you to complete some form or to comply with some other formality then they are acting unlawfully unless they have a legitimate concern to verify your identity. Vodafone is a case in point which routinely responds to an SAR with a form to be completed before the 40 day clock starts ticking. This is unlawful and it will continue to be unlawful with the new regime but this time we suggest that you make immediate complaints.

One unfortunate feature of the new regime is that if a company decides that your subject access request is excessive or unfounded, then they may be justified in levying a charge. This charge must be limited to the administrative costs of satisfying your request. Unfortunately, it will be difficult to challenge the company on the level of the charge and very often this charge may be more than the statutory 10 fee which they are allowed to levy under the present regime. We will have to see how many companies decide to push the limits and abuse the discretion they have.

Once again, any hint of abuse and we suggest that you make immediate complaint to the Information Commissioner.

In addition to the normal subject access request, you can require companies to confirm to you that they do hold your data, how they acquired it, why are they using it and in what way and with whom it has been shared. We suggest that you demand this information routinely as part of every subject access request and the new template which is be prepared is expressed accordingly.


You will be able to access the new SAR template from 25 May and this announcement will be modified to contain a link. Also, the standard SAR auto links which you will see all over the forum will be directed at the new template.