The GDPR is very specific when it comes to responding to SARs.
Article 12 states: “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.”
So, as soon as that request lands in your inbox – or maybe on a reception desk – the time starts ticking. Having a structured way to record requests as they come in, and the progress, means you can best keep track of this. There are certain circumstances when this timeframe can be changed to three months, but you must inform the data subject of this.
You may have also heard people talk about the ePrivacy Directive or the EU Cookie Law. This Directive relates to individuals that reside within the EU and is designed to protect online privacy. It is important that if you track cookies of UK and EU residents, you adhere to both pieces of legislation.