Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- What Do GDPR Time Limits Mean For Small Businesses?
Key GDPR Time Limits You Need To Track
- 1) Data Breaches: 72 Hours To Notify The ICO (If Required)
- 2) Subject Access Requests (SARs): One Month To Respond
- 3) Rectification: One Month To Correct Inaccurate Data
- 4) Erasure (“Right To Be Forgotten”): Prompt Response Within One Month
- 5) Restriction And Objection: Respond Within One Month
- 6) Data Portability: One Month To Provide Data In A Usable Format
- 7) Retention Periods: “No Longer Than Necessary” (Document It)
- Essential Documents That Help You Meet Time Limits
- Key Takeaways
If your business handles personal data, the UK GDPR and the Data Protection Act 2018 don’t just set standards - they set clocks ticking.
From responding to subject access requests to notifying the ICO after a breach, there are strict GDPR time limits that every small business needs to hit without fail.
The good news? With clear processes and a few smart tools, meeting these deadlines is manageable - and it will massively reduce your legal risk. In this guide, we’ll break down the key time limits, how to calculate them properly, and the practical steps to make sure you never miss a date.
What Do GDPR Time Limits Mean For Small Businesses?
“GDPR time limits” are the legal deadlines for responding to people’s data rights (like access or deletion), handling complaints, and reporting certain incidents to the regulator. These obligations apply whether you’re a sole trader selling online or a growing company with staff and suppliers.
At a high level, you’ll need to be able to:
- Log and respond to individual rights requests within one month (with narrow exceptions).
- Report qualifying personal data breaches to the ICO within 72 hours of becoming aware.
- Action marketing opt‑outs promptly and keep suppression lists up to date.
- Apply sensible (and documented) retention periods so you don’t keep data for longer than necessary.
These aren’t “nice to haves.” Missing a GDPR time limit can trigger complaints, investigations and fines - not to mention reputational damage with customers you’ve worked hard to win.
Key GDPR Time Limits You Need To Track
Below are the core deadlines most UK small businesses will encounter. We’ve translated the legalese into plain English and flagged the practical nuances that catch teams out.
1) Data Breaches: 72 Hours To Notify The ICO (If Required)
If you suffer a personal data breach that is likely to result in a risk to people’s rights and freedoms (for example, exposure of unencrypted customer or employee data), you must notify the ICO “without undue delay,” and where feasible no later than 72 hours after becoming aware of the breach.
- If the incident is unlikely to pose a risk, you don’t need to notify the ICO - but you should document your assessment.
- If there is a high risk to individuals, you must also inform the affected people “without undue delay.”
- Have a written Data Breach Response Plan so you can triage quickly and accurately within the 72‑hour window.
2) Subject Access Requests (SARs): One Month To Respond
When someone asks for a copy of their personal data (a “SAR”), you must respond without undue delay and within one month of receiving the request. You can extend by two further months if the request is complex or you’ve received numerous requests from the same person - but you have to tell them within the first month and explain why.
- You can pause the clock if you need to verify the person’s identity - the time limit starts when you have what you reasonably need to confirm identity.
- You can ask the individual to clarify their request if it’s broad, and the time limit may be paused until clarification is received.
- Most SARs must be fulfilled free of charge, but you can charge a reasonable fee or refuse a request that is manifestly unfounded or excessive (explain your reasoning in writing).
- For an in‑depth look at timelines, check practical guidance on SAR deadlines.
3) Rectification: One Month To Correct Inaccurate Data
If someone tells you their personal data is inaccurate or incomplete, you must rectify it without undue delay and within one month. Again, you can extend by two months for complex requests (and notify the person within the first month).
4) Erasure (“Right To Be Forgotten”): Prompt Response Within One Month
You need to respond to erasure requests within one month. Whether you must delete will depend on the lawful basis you rely on and whether any legal obligations require you to keep the data. If you refuse, you must tell the person why, within the same time frame, and explain their right to complain to the ICO.
5) Restriction And Objection: Respond Within One Month
Requests to restrict processing or to object (including objections to direct marketing) must also be handled within one month. For direct marketing, you should stop marketing immediately when someone opts out and add them to your suppression list promptly.
6) Data Portability: One Month To Provide Data In A Usable Format
For certain data you process by consent or under a contract, you may need to provide it in a structured, commonly used and machine‑readable format within one month, or transmit it directly to another controller where feasible.
7) Retention Periods: “No Longer Than Necessary” (Document It)
GDPR doesn’t impose a single time limit for how long you keep personal data - it requires you to justify and document retention schedules based on your purposes and legal obligations. This is where many small businesses slip up. Set clear, business‑specific schedules and stick to them. For help shaping realistic timelines, see practical guidance on retention periods.
How To Calculate GDPR Time Limits Correctly
It’s not just “one month from whenever.” The way you count time can change the deadline - and the ICO will expect you to get this right.
Start Counting The Day After You Receive The Request
Generally, the one‑month period starts the day after you receive the request (or, for breaches, the moment you become aware of the incident), and ends on the corresponding date in the following month. If there’s no corresponding date (e.g. request received on 31 January), the deadline is the last day of the following month.
Public Holidays And Weekends Still Count
GDPR time limits include weekends and public holidays. If your deadline falls on a weekend or public holiday, aim to respond before that date. If you’re planning operational cover (for example, around Christmas), ensure someone is monitoring your inboxes and social channels and can triage requests.
ID Verification Can Pause The Clock
If you reasonably need more information to confirm the requester’s identity, the countdown doesn’t begin until you have it. Ask promptly and only for what’s necessary. Keep a clear record of when you requested and received the verification to evidence your timing.
Clarification Can Pause The Clock Too
If a request is broad (“give me everything”), you can ask the person to narrow the scope - particularly for email archives and long‑running employee files. The one‑month period may be paused while you wait for the clarification. Not every request can be narrowed, so use this sensibly and document your reasoning.
Extensions Require Early Notice
Where a request is complex or you’ve received many requests from the same individual, you may extend the deadline by up to two months. You must notify the person within the first month, explain why, and confirm the new deadline. For step‑by‑step examples, see guidance on GDPR data request deadlines.
Practical Systems To Meet GDPR Time Limits
Hitting every deadline isn’t about heroics - it’s about building repeatable processes that run quietly in the background. Here’s a practical blueprint you can adopt.
1) Publish Clear, Accurate Notices
Start with the basics: make sure you have a current, accurate Privacy Policy and, if you use cookies or similar tech, a compliant Cookie Policy. These set expectations and help channel requests to the right place (which immediately saves time).
2) Create A Data Rights Request Log
Log every request the moment it arrives - including the date/time received, identity checks, scope, systems to search, and the due date. A simple spreadsheet works, but a ticketing tool can help if multiple people need to contribute.
3) Triage All Intake Channels
Requests can arrive by email, contact forms, social media, customer support tools, or even verbally. Train your team to recognise a rights request and route it to your privacy lead quickly. If your staff use phones for work, it’s worth reviewing your approach to GDPR and business calls so nothing slips through the cracks.
4) Use Ready‑To‑Go Templates
Prepare response templates for acknowledgements, ID checks, clarifications, extension notices, partial refusals, and final responses. Consistency saves hours and reduces risk. If you handle frequent SARs, develop an internal playbook for gathering data from common systems (email, CRM, HR files) and redacting third‑party information.
5) Assign Owners And Escalation Paths
Designate a privacy lead and backup. Clarify how to escalate complex requests (e.g. ex‑employee grievances that involve multiple legal issues). If you outsource services, ensure your suppliers are contractually obliged to help you meet deadlines.
6) Lock In Supplier Obligations
If a supplier processes personal data for you (a “processor”), you must have a Data Processing Agreement that includes cooperation clauses for data subject rights and breach notifications. Without these, you may struggle to gather information in time.
7) Plan For The 72‑Hour Breach Clock
Run a tabletop exercise at least once a year so your team knows what to do, who to call, and how to decide if a breach is notifiable. Store your Data Breach Response Plan and incident forms in a place everyone can access securely.
8) Document Retention Schedules
Set and document retention periods for key data sets (customers, prospects, payroll, CCTV, support tickets). Automate deletion where possible and run scheduled reviews. This will reduce the volume you need to search for each SAR and help you prove compliance with storage limitation.
Common Pitfalls (And How To Avoid Them)
Even well‑run teams fall into these traps. Here’s how to stay on the right side of the line.
“We Didn’t See The Request”
Requests buried in a shared inbox or ignored DMs can still start the clock. Monitor all channels, publish a preferred contact route in your notices, and train staff to escalate immediately.
Underestimating Redaction Work
For SARs, you must protect third‑party data. Redacting email threads and attachments takes time, especially in employee disputes. Start early, use search filters to narrow scope, and keep an audit trail of your decisions.
Refusing A Request Without Explaining Why
You can refuse manifestly unfounded or excessive requests, but only with a clear explanation and within the deadline. Consider whether part of the request can be fulfilled. Where exemptions might apply, having internal guidance on responding to SARs will help you strike the right balance.
Missing The Extension Notice Window
Extensions are permitted for complex or multiple requests - but only if you notify within the first month and give reasons. Set reminders a week before the deadline so you have time to assess complexity and draft the notice.
Marketing Opt‑Outs Not Actioned Quickly
If someone opts out of marketing, stop straight away. Update your suppression list and make sure it syncs to every tool (email, CRM, ads). Don’t delete the email address entirely - keep it on your suppression list so you don’t contact them by mistake.
Assuming Retention Periods Are “Set And Forget”
Your business changes. Update retention schedules when you launch new services, adopt new tools, or expand into new markets. Regularly review guidance on practical, lawful retention periods so you don’t keep data longer than necessary.
Forgetting Cookies And Tracking Tech
Cookies and similar technologies trigger transparency and consent requirements. If your site uses analytics, ads or embedded tools, make sure your notices, consent banner and settings align. A documented approach to cookie banners that comply will reduce complaint risk and save time if the ICO asks questions.
Essential Documents That Help You Meet Time Limits
A few well‑drafted documents will make a big difference to your day‑to‑day compliance and response times.
- Privacy Policy - tells people who you are, what data you collect, why you process it, who you share it with and how to exercise their rights. A clear policy channels requests to the right place.
- Cookie Policy - explains cookies and similar tech on your site/app and how users can control them.
- Data Processing Agreement - sets cooperation duties with suppliers so you can gather data quickly for SARs and breach assessments.
- Data Breach Response Plan - defines roles, timelines, and evidence capture so you can decide and act within 72 hours.
- Internal SOPs & templates - acknowledge requests, ask for ID, request clarification, send extension notices, provide final responses, and document exemptions. If you need a starting point, review guidance on SAR deadlines and practical steps for calculating time limits.
Step‑By‑Step: Your First 30 Days To De‑Risk GDPR Time Limits
If you’re setting this up for the first time, here’s a simple 30‑day plan to get your legal foundations in order.
Week 1: Get The Basics In Place
- Appoint a privacy lead and backup.
- Publish (or update) your Privacy Policy and Cookie Policy so people know how to contact you.
- Inventory where personal data lives (email, CRM, HR, finance, support tools, file storage).
Week 2: Build Your Response Toolkit
- Set up your request log and a central inbox (e.g. privacy@yourbusiness).
- Create templates for acknowledgements, ID checks, clarifications, extension notices and final responses.
- Draft an internal checklist for responding to SARs and redaction steps.
Week 3: Fix Your Supplier Contracts
- Identify processors (email providers, payroll, marketing platforms) and put in place a robust Data Processing Agreement with each.
- Confirm how quickly each supplier can help you fetch data and support breach investigations.
Week 4: Prepare For Incidents And Audits
- Adopt a Data Breach Response Plan and run a short exercise with the team.
- Document retention schedules for your main systems (customers, staff, prospects, finance).
- Train staff to spot rights requests and escalate within 24 hours.
Key Takeaways
- GDPR time limits are strict: one month for most rights requests and 72 hours to notify the ICO about qualifying breaches.
- Calculate deadlines correctly: the clock typically starts the day after receipt, and you can pause for ID checks or clarifications where appropriate.
- Use processes, not heroics: log requests, use templates, assign a privacy lead and lock in supplier cooperation through a Data Processing Agreement.
- Publish clear notices: a current Privacy Policy and Cookie Policy help route requests and set expectations.
- Prepare for breaches: a written Data Breach Response Plan enables fast triage and timely reporting.
- Document retention periods: keep data no longer than necessary - it cuts risk and speeds up SAR responses.
- When in doubt, get advice early: extensions and exemptions exist, but they must be applied correctly and explained on time.
If you’d like help setting up compliant processes or drafting the right documents to hit GDPR time limits with confidence, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.
