The Court of Appeal has given its verdict on how far a data controller needs to go to comply with a data subject access request. The answer: pretty far. The impact: the motive of the data subject in making the request is irrelevant; the legal privilege exemption is not a catch all exemption; evidence must be put forward to rely on "disproportionate effort". The slight benefit: contrary to the Information Commission's Subject Access Code of Practice, the disproportionate effort ground may apply to searches for personal data, not just providing copies of data.
Today a landmark has been reached. The General Data Protection Regulation (GDPR) has been published in the Official Journal of the European Union. From tomorrow the 20 day countdown until the GDPR comes into force on 25 May 2016 begins. The Regulation will not be applicable though until 25 May 2018 due to its two year implementation period. It is considered to be the most remarkable thing to have happened in data protection over the last 20+ years. During this period the concept of data protection has firmly transitioned itself from the side lines to centre stage. Here we explain why you need to begin to plan for the GDPR now.