![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The UK Information Commissioner's Office has updated some of its practical guidance
aimed at assisting organisations in dealing with their data protection obligations.
“Identifying data controllers and data processors” recognises the difficulty in identifying the relevant parties as a result “of the variety of different interrelationships that exist between organisations involved in the processing of personal data to any degree jointly with others.” The guidance refers to various practical examples of where “controller-processor” and “joint controller” relationships may exist and offers definitions on the types of different client and service provider that can exist in order to help organisations determine their applicable responsibilities and obligations.
“Disproportionate effort” sets out the obligations of an organisation to comply with a subject access request—and to what extent it can rely on the “disproportionate effort” exemption—the guidance again provides practical examples and clarifies that the scope of the exemption only applies to the task of responding to a subject access request by providing a copy of the information in permanent form—it does not apply to the effort required to locate the personal data.
Finally, “Regulatory activity” sets out the circumstances in which the regulatory activity exemption under Section 31 of the Data Protection Act may be used by organisations to withhold requested information or to be provided under the subject information provisions of the act.
