In May this year, the General Data Protection regulation (GDPR) brought with it a new Data Subject Access Requests (DSAR) regime.  We expect that the ICO will update its Code of Practice shortly.   Until then, Andrew Peters of our Labour & Employment team has prepared a five-part blog series which discusses practical concerns for UK employers receiving DSARs post-GDPR.

Part 1 of the series discusses the law as it stands and highlights its ambiguities.  Part 2 addresses issues such as the definition of “complexity” which may allow for an extension of the deadline from one to three months. Finally, Part 3 addresses the issue of proportionality and the extent of an employer’s ability to limit its search and review stages

We will share with you parts 4 and 5 of this series when published.