It has been notable that, since the General Data Protection Regulation (GDPR) became directly applicable 13 months ago, there has been little enforcement action taken by the Information Commissioner’s Office (ICO). Until recently, only two enforcement notices and no administrative fines had been issued, despite the hyperbolic warnings of some in the months leading up to May last year.
The ICO has now, however, signalled an intention to take action against organisations who fail to comply with their obligations to respect one of the key data subject rights under GDPR - that of subject access - with the issuing of two separate enforcement notices on the Metropolitan Police Service (MPS) (one notice was issued for contraventions of GDPR (and issued under the Data Protection Act 2018), and one issued under the Data Protection Act 1998 (which is still in effect for older contraventions which took place before its repeal)).
A subject access request (SAR) is a request by an individual, under Article 15 of GDPR, to a controller, requiring the latter to state certain particulars (such as whether they are processing the person’s data, and if so, for what purposes) and to provide a copy of the data undergoing processing. The controller must respond within one month (which can be extended to three months on the grounds of complexity and volume).
The ICO notices reveal that the MPS has, for an extended period, had a backlog of more than a thousand delayed responses to SARs (at times the backlog has been as high as 1385 delayed responses).
The enforcement notices require the MPS to respond to all delayed requests by 30 September 2019 and to carry out changes to its systems to ensure that future requests are dealt with in a timely manner. It will be a criminal offence by the Chief Constable, on whom they are actually served, if there is a failure to comply.
Under the prior law, SARs had to be responded to within 40 days, and a fee of £10 could be charged to the requester. GDPR reduced that time frame, and removed the power to charge a fee. Many predicted this would result in an increase in requests, but those businesses who prepared in advance have been best able to meet that challenge. The notices served on the MPS perhaps now indicate that the ICO feels that any time for post-GDPR adjustment, or bedding-in, has passed. Controllers who fail, on a systematic level, to respect people’s subject access rights, must up their game, or face serious action.