The main findings were:
Previously, SARs had to be responded to within one calendar month, with the day after receipt counting as “day one”.
Following the court judgement “day one” is now the day a firm receives the SAR, for example:
If it is not possible to respond because the following month is shorter (and there is no corresponding calendar date) e.g. February, then the date you will need to respond by is the last day of the following month for example:
If the date you need to respond by lands on a weekend or a public holiday, you have until the next working day to respond.
Many firms will be able to respond to the SAR within this amended timeframe as most aim to respond well within the month limit.
However, as the exact number of days you have to comply with a request varies (depending on the month, weekends and bank holidays in which the request was made) firms may now find it hard to put in place simple SAR request monitoring.
As such we think that firms may benefit from adopting a 28-day response period as this will ensure that you will always be able to respond to a SAR within the required calendar month.
You should make sure that any SAR processes you have in place are updated to reflect these amended timescales. This includes any internal systems, tracking spreadsheets and training material you may have.