Mastering Subject Access Request Deadlines: A Guide to UK SAR Response Timescales

If you hold personal data about customers, employees or other individuals, you’re probably already aware of Subject Access Requests – or SARs. Under UK law, anyone can ask to see the personal data you hold on them. Simple enough in theory, but in practice, handling these requests on time (and legally!) can be tricky, especially if multiple people or departments are involved.

Miss a subject access request deadline, and your business could face complaints, reputational damage, or even fines from the Information Commissioner’s Office (ICO). But don’t stress – with the right knowledge and preparation, you can confidently handle SARs, stick to the right time limits, and keep your business compliant.

In this guide, we’ll break down the UK SAR response time rules, when you can extend them, practical tips for compliance, and the best policies to keep your team on the right side of the law. If you want to master SAR timeframes and avoid the common pitfalls, this article is for you.

What Is a Subject Access Request (SAR)?

A Subject Access Request (SAR) is a formal request by an individual (the “data subject”) asking an organisation for access to the personal data you hold on them. Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, you’re legally required to respond. This right lets people see what information your business stores about them, how it’s used, and who it’s shared with.

SARs are important for transparency and accountability. They’re particularly common in the workplace (employees might use them during grievances or disciplinary action), but anyone whose data you process can submit one – customers, suppliers, or even job applicants.

What Is the Subject Access Request Time Limit?

Let’s get straight to the key question: What is the subject access request time limit in the UK?

The short answer:

• You must respond to a SAR “without undue delay” and within one month of receiving it.

The “one month” clock starts ticking from the day you receive the request. If you receive it by email at 11pm on a Saturday, day one is Sunday. There are some nuances (like clarification requests, which we’ll cover shortly), but for most businesses, the rule is clear: don’t let that deadline slip.

This SAR timescale applies whether the request is made verbally or in writing, and regardless of the format (email, social media, paper forms, etc.). Make sure you have systems in place to spot when a SAR comes in so you don’t lose precious time.

Can You Extend the SAR Response Time?

Sometimes, responding within a month isn’t possible – maybe the request is unusually complex, covers vast amounts of data, or you’re still waiting for clarification from the requester.

The UK GDPR allows you to extend the response time by up to two additional months if the SAR is:

• Complex (for example, if you need to search multiple data sources or redact sensitive third-party information)
• Numerous requests (if the person has made several related requests, and it’s genuinely challenging to process them all on time)

But there’s a crucial catch: You must tell the data subject about the extension within the first month. In your notification, explain why you need extra time and when they can expect a full response. If you don’t, you risk breaching the law.

When Does the SAR Deadline Start?

Here’s a common scenario: Someone sends you a SAR, but it’s vague (“please send me all the information you have about me”). Are you still on the clock?

If you need clarification (“What timeframe or department? What email address did you use?”), you can pause the deadline until the requester replies with enough detail. But be careful:

• The “pause” only works if you ask for clarification promptly.
• Don’t use the clarification process to delay the response unnecessarily.
• Once the person responds, the clock resumes – so keep records of when you requested and received clarification.

Once you have what you need, the normal one-month SAR request timescale applies.

What Happens If You Miss the SAR Timescale?

Failing to meet the SAR deadline can have serious consequences. The data subject can complain directly to the ICO. If the ICO finds you’ve breached the rules, they can order you to comply – and sometimes impose fines or other enforcement action.

Non-compliance can also damage your reputation, especially if disgruntled customers or employees take to social media. It’s a risk that’s easily avoided with the right procedures and training.

Best Practices for Meeting SAR Deadlines

No one wants a last-minute scramble to pull together hundreds of emails or files because the SAR date slipped off the radar! Here’s how to create SAR response timescale compliance that works every time:

1. Develop a Clear SAR/DSAR Policy

If your company receives even the occasional SAR, you need a policy explaining:

• Who is responsible for handling SARs (an individual or a team)
• How requests are identified and logged
• How deadlines are calculated
• Template responses for confirmation, extension notifications, and refusal (if justified)

Having a strong subject access request procedure ensures nothing falls through the cracks, especially in busy or high-turnover workplaces.

2. Assign and Train Responsible Staff

Don’t just assume someone will notice and act on a SAR. Appoint a responsible person (often your DPO or head of HR for employment SARs), and make sure there’s cover for absence, holidays, or unexpected departures.

Train your team on what counts as a SAR, the subject access request time limit rules, and how to identify and escalate requests. You can even run practice exercises so everyone is familiar with the process when a real SAR lands.

3. Keep Thorough and Secure Records

As soon as you receive a SAR, log:

• Date of receipt
• Name and contact details of the requester
• Details of what’s requested
• Date response is due
• Any extensions or clarifications – with dates
• Date and details of your final response

This is your compliance “paper trail” if ever questioned by the requester or the ICO.

4. Manage Extensions Proactively

If there’s any chance you’ll need more than a month, act fast. Send a holding response and explain why you need more time (e.g. the SAR is particularly complex and requires extensive collation and redaction).

Remember, you must inform the requester of the extension (and reasons) within the original one-month window. Put this in writing, and keep a copy in your SAR records.

5. Use Reliable Technology and Secure Processes

Depending on your sector or business size, you might use SAR management software, automated logs, or secure email solutions. Make sure any system you use aligns with UK GDPR security requirements – and that files are only accessible to those who need them.

Regular data privacy risk assessments can help ensure your SAR responses are secure and compliant.

Special Considerations for Employers Responding to SARs

Many SARs in the UK come from employees, particularly during grievances, disciplinaries, or redundancy disputes. Here are specific tips for handling SARs as an employer:

• Act quickly: Employment-related SARs often cover a wide range of data (emails, HR records, WhatsApp messages). Start your data search as soon as you notice a request.
• Redact personal information: You may need to withhold or redact third-party personal data, or sensitive business information. Explain any redactions clearly in your response.
• Stick to the rules: The one-month timescale still applies. Remember, just because HR matters are sensitive doesn’t buy you extra time!
• Document your efforts: If you genuinely can’t access some data (due to archiving, loss, or technical limits), record your attempts and explain to the employee and, if required, the ICO.

For detailed advice, see our employment law guides and consider specialist consultation for complex cases.

SAR Refusals, Redactions, and Exemptions

There are certain circumstances where you may be entitled to refuse a SAR (for instance, if it is “manifestly unfounded or excessive”). There are also specific exemptions – such as legal privilege or confidential references – where information can lawfully be withheld.

If you intend to refuse all or part of a SAR, you must:

• Explain your reason(s) clearly and refer to the applicable exemption
• Respond within the normal SAR timescale
• Notify the individual of their right to complain to the ICO

Be cautious – ICO scrutiny is increasingly tough, so always keep detailed records of your reasoning, and seek legal advice if unsure. For more on this subject, see our guidance on protecting customer information and data rights.

How to Minimise Legal Risk With SARs

Even with the best intentions, SARs can get tricky – especially if you’re dealing with high-risk situations (such as redundancy, whistleblowing, or potential litigation). Here’s how to protect yourself and your business:

• Don’t leave SARs to the last minute. Start gathering the data as soon as you receive the request, even if you think you’ll need an extension.
• Be thorough but proportionate. Provide all relevant personal data, but don’t include unnecessary or unrelated information.
• Document decisions. Keep clear notes on why any data is redacted or withheld, or why an extension or refusal is being applied.
• Planning is key. Have your policies, records and templates ready to go – don’t wait for the SAR first!
• Seek expert support. If you encounter a complex or contentious DSAR, getting legal help early can protect you from accidental breaches and fines.

Further Resources and Getting Help

If you’re looking to update your SAR response policy, draft compliant templates, or respond to a particularly complex request, you don’t have to do it all alone. Whether you need a DSAR form template, privacy policy review, or help with a specific DSAR, our experienced team at Sprintlaw UK can support you at every stage.

For more on building a privacy-compliant business, visit our guides on:

• UK GDPR essentials
• Tips for GDPR compliance
• Privacy policies for UK businesses

Key Takeaways: Mastering SAR Response Deadlines

• The legal subject access request time limit is strictly one month, starting from the day of receipt.
• If the SAR is “complex”, you can extend the DSAR response time by up to two months, but the requester must be notified of the extension within the first month – with valid reasons why.
• Pausing the timescale is only allowed if you quickly request clarification from the data subject, and the clock resumes once they reply.
• Missing SAR deadlines can lead to complaints, investigations, fines, and reputational harm for your business.
• Having strong SAR policies, assigning responsible staff, training your team, and maintaining detailed records are your best safeguards.
• Special care is required for SARs in employment and other sensitive contexts – seek legal advice if in any doubt.
• Proactively planning your SAR processes now will ensure you stay compliant and protect your business long-term.

If you would like help with SAR policies, response templates, or have a particularly complex subject access request, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. Our friendly legal experts are here to help you get-and stay-compliant from day one.