GDPR Data Request Deadlines: How to Calculate and Manage Time Limits for DSARs

If you run a business in the UK, you're probably already aware of your obligations under the General Data Protection Regulation (GDPR). But when a data subject access request (DSAR) lands in your inbox, do you know exactly how long you have to respond-and what to do if you need more time?

These time limits aren't just an administrative detail; they're a key part of building trust with your customers and avoiding regulatory headaches down the line. Responding late (or not at all) can expose your business to complaints or even enforcement action from the Information Commissioner's Office (ICO).

The good news? With a clear understanding of the rules, and some best practice steps, you can master DSAR deadlines and show your customers you take their rights seriously. In this guide, we’ll break down the standard GDPR DSAR response time, explain when extensions are allowed, walk through deadline calculations, and offer practical tips for staying compliant.

What Are the Standard GDPR Time Limits for DSARs?

Under Article 12(3) of the GDPR, organisations must respond to a data subject access request within one calendar month of receiving it. This is not a “working month” or 30 days, but a true calendar month-a subtle but important point to get right.

• The clock starts ticking the day you receive the request-not when you get around to opening or forwarding it internally.
• Your response must be sent by the same numerical date in the following month (e.g. a DSAR received on April 12 must be fulfilled by May 12).
• If the following month doesn’t have that date (say, a request comes in on August 31), the deadline is the last day of the next month (so, September 30).
• If the deadline falls on a weekend or public holiday, you have until the next working day to get your response out.

In practice, this one-month time limit is pretty strict. The only exception is if the DSAR is especially complex or you receive several DSARs from the same person at once-more on extensions below.

For more detail on managing GDPR data in your business, see our full guide on What You Need to Know About GDPR.

How Do You Calculate Calendar Month Deadlines for DSARs?

Calculating the DSAR response deadline accurately is crucial for staying compliant. Here’s how it works, step by step:

• Day of receipt is day one. The deadline is one calendar month later, same date, same time (if applicable).
• No matching date? If there’s no corresponding date in the following month (e.g. the request is made on January 31), the deadline defaults to the last day of the next month (February 28 or 29).
• Weekend or public holiday? If your deadline falls on a non-working day, you have until the end of the next working day to respond.

Let’s see some examples:

• DSAR received: 3rd March
  Deadline: 3rd April
• DSAR received: 31st May
  June has only 30 days, so deadline is: 30th June
• DSAR received: 29th August (bank holiday on 29th September)
  Deadline: 30th September (next working day)

The ICO provides useful guidance and worked examples, which you can find directly on their website, or accessed via our overview of GDPR compliance tips.

When Can You Extend the DSAR Deadline?

Most DSARs should be handled within the standard one-month period, but GDPR is realistic-sometimes things genuinely get complicated.

According to Article 12(3) GDPR, you can extend the deadline by up to two additional months (making it a total of three months) if:

• The request is complex (e.g. it covers a huge volume of data or requires pulling information from legacy systems); OR
• The same individual makes multiple requests at once (e.g. several types of data requests at the same time).

But-this isn’t a free pass for delays or vague excuses. If you plan to use an extension:

• You must notify the requester within the initial one month that you’re taking extra time.
• Your notice should provide clear reasons for the delay (e.g. volume, complexity, or type of request) and tell the individual when to expect your full response.
• No further approval from the individual or authority is needed, but you must be transparent and stick to the new deadline.

This means even if more time is needed, you can’t simply wait and explain after the fact-you need to manage expectations proactively and document the reasons for the extension internally, should the ICO ever wish to review your process.

For more on how to handle sticky compliance issues relating to DSARs and privacy, check out our guide to privacy policies.

What Should You Do If You Need More Time?

If it becomes clear you’ll need more than a month, here’s the process to follow:

1. Acknowledge receipt of the DSAR as soon as possible-ideally within a few days.
2. Assess the complexity (number of data sources, need for specialist technical support, or very broad scope).
3. If an extension is needed, write to the individual within the initial month (don’t wait until the last day) and clearly state:
   • That you’re using the extra two months as per GDPR Article 12(3);
   • The reasons for the extension (for example, “your request covers extensive data stored in multiple locations and will take additional time to retrieve”); and
   • The new anticipated response date.
4. Set a firm internal calendar reminder on the new deadline. Missing this extended date can still bring you into ICO scrutiny.

Remember, the extension is only for genuine logistical challenges. Don’t automatically apply it-evaluate requests case by case.

For more about the different legal documents and steps you need for privacy compliance, have a look at our legal documents for business page.

Best Practice Steps for DSAR Compliance

With deadlines so strictly enforced, what can you do to manage DSARs effectively and keep your business on the right side of the law? Here are some practical steps:

• Acknowledge requests promptly: Confirm you’ve received the DSAR and, if required, ask for clarification on the scope right away. This also establishes the start date for your time limit.
• Designate responsibility: Make sure someone in your organisation is clearly accountable for tracking and fulfilling DSARs-ideally with a system to log and monitor deadlines.
• Develop clear internal processes: Know what systems you’ll need to search for data and how to extract, review, and redact documents efficiently.
• Communicate transparently: If there will be any delay (e.g. you need more time), explain this to the individual early, with reasons and a new timeframe.
• Keep records: Document your receipt, communications, internal actions, and response-this is invaluable if a dispute or audit arises.
• Protect other people’s data: It’s common to need to redact personal data relating to other individuals before disclosure. Check you’re not inadvertently breaching someone else’s privacy.

For a fuller picture of how to manage data protection compliance steps in your business, you might find our article on customer data protection helpful.

Worked Examples: DSAR Deadline Scenarios

Let’s round this out with a few more practical examples of how you might calculate DSAR deadlines in real life:

Date DSAR Received	Normal Deadline	If Next Month has Fewer Days	If Deadline Falls on Weekend/Bank Holiday
10th February	10th March	-	12th March (if 10th is Sunday)
30th January	28th February (no 30th in Feb)	28th/29th Feb	1st March (if 28th is Saturday/Sunday)
31st May	30th June (June has no 31st)	30th June	1st July (if 30th is Sunday)
1st December	1st January (next year)	-	2nd January (if 1st is a holiday)

As you can see, small quirks in the calendar can make a difference to your response obligations-so always double-check your dates and build in reminders to avoid last-minute scrambles!

What Happens If You Miss a DSAR Deadline?

It’s always best to aim for proactive compliance-not last-minute panic. If you do miss the deadline for a DSAR response, here’s what could happen:

• The individual may complain to the ICO, leading to potential investigation of your data practices.
• The ICO could require you to respond by a set date, or in serious cases, consider enforcement action or fines-especially for repeated or unaddressed breaches.
• Trust may be damaged with your customers, clients, or staff if you consistently delay or mishandle requests.

While the ICO usually focuses on promoting good practice and correcting non-compliance rather than immediate penalties, ongoing or wilful neglect of DSAR time limits can lead to more serious consequences.

If you’re worried about keeping up with complex compliance rules, or want to make sure you’re protected from day one, you can also consult our page on personnel security and privacy policies for further support.

Key Takeaways

• GDPR requires you to respond to data subject access requests (DSARs) within one calendar month of receipt.
• The response clock starts from the day you receive the request-not when it’s opened or assigned.
• You can only extend this deadline by up to two months (total: three months) for genuinely complex or multiple requests; you must notify the individual and give reasons within the original month.
• Carefully calculate your deadline: one calendar month later, same date; if that date is missing, use the last day of the next month or the next working day if it falls on a weekend/bank holiday.
• Strict record-keeping, prompt acknowledgment, clear internal processes, and transparent communication help ensure compliance and build trust.
• Consistent non-compliance can lead to ICO attention, enforcement actions, or loss of customer trust-so best to get your DSAR response right from the start.

If you’d like help setting up your GDPR compliance processes or have questions about privacy law, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. We’re here to help you stay protected, build trust, and grow your business with confidence.