The UK Labour Party has been reprimanded for not fulfilling its data protection duties following a historic cyberattack. More than 150 complaints were made to the Information Commissioner’s Office (ICO) regarding mishandling of Subject Access Requests (SARs) for personal information.
The ICO’s investigation found that between November 2021 and November 2022, the Labour Party received 352 SARs, yet 78% of them were not answered within the requisite extended three-month timeframe, and over half (56%) were delayed for more than a year. The high volume in SARs received was a result of a prior cyberattack on the organisation in October 2021. Moreover, its privacy inbox had not been adequately monitored since 2021, meaning the requests received were not being responded to as required under data protection law.
Under UK GDPR, organisations are expected to respond to a SAR within one month of receipt of the request, extended by up to two months if the nature of the SAR is complex. In circumstances where organisations find themselves lacking the adequate resources, an external data protection officer can support the team to ensure adherence to regulatory requirements.
Following the reprimand, the Labour party has worked on resolving the backlog and put measures in place to ensure more prompt responses to requests in the future. As a global Data Protection Officer services provider, HewardMills works with clients to ensure a privacy mailbox is not only in place but that it is adequately resourced and regularly monitored. In instances of data breaches, our expert team can work with you to respond quickly and report to the regulator if required.