Subject Access Request Timescales in the UK: What To Know

If you handle any personal data about customers, staff, or suppliers, you’ll eventually receive a Subject Access Request (SAR). When that lands in your inbox, the clock starts ticking - and getting the timescales right is critical.

In this guide, we break down the SAR request timescale under UK GDPR and the Data Protection Act 2018 in plain English. You’ll learn how to calculate the deadline, when you can extend it, when you can pause the clock, and how to set up a simple process that keeps you compliant without derailing your day-to-day operations.

Let’s make SAR time frames simple so you can respond confidently and stay protected from day one.

What Is The Subject Access Request Timescale Under UK Law?

Under UK GDPR (Article 15) and the Data Protection Act 2018, you must respond to a SAR “without undue delay” and in any event within one calendar month of receiving the request.

That month is a calendar month - not 30 days and not working days. In practice, this means if you receive a valid SAR on 10 March, your standard deadline is 10 April.

You can extend the deadline by a further two months (so, up to three months in total) if a request is complex or if you have received a number of requests from the person. You must tell the requester within the first month that you’re extending the time limit and explain why.

For a deeper dive on time limits, many businesses find it helpful to review clear guidance on SAR response timescales.

How To Calculate Your SAR Time Frame (With Examples)

Most compliance headaches arise from miscounting days. Here’s how to get it right.

When Does The Clock Start?

• The clock starts on the day you receive the SAR (day zero). Your deadline is the same date in the next calendar month.
• If you need to verify identity, you can pause the clock until you’ve received sufficient ID to confirm the requester’s identity.
• If you process large volumes of personal data and you reasonably need the requester to clarify the scope, you can pause the clock while you wait for clarification (but only where it’s reasonable and necessary to locate the data).

Do Weekends And Bank Holidays Count?

• Yes, the month is calendar-based. However, if your deadline falls on a weekend or a public holiday, you can provide your response on the next working day.

End-Of-Month Quirks

• If the corresponding date doesn’t exist in the next month (e.g. received on 31 January), the deadline is the last day of the next month (e.g. 28 or 29 February).

Examples

• Received: 3 May → Deadline: 3 June
• Received: 30 August → Deadline: 30 September
• Received: 31 March → Deadline: 30 April
• Received: 15 December (deadline would fall on 15 January; if that’s a weekend, you may respond the next working day)

If your team prefers a checklist, it’s worth bookmarking a quick explainer on how to calculate DSAR deadlines.

When Can You Extend The SAR Time Limit?

You can extend the SAR time frame by up to two additional months where it’s “complex” or where you receive multiple requests from the same individual. “Complex” isn’t defined exhaustively, but common triggers include:

• Large volumes of unstructured data requiring significant review and redaction (for example, years of emails and chat logs)
• Requests that span multiple systems, group entities, or third-party processors
• Sensitive third-party personal data intertwined with the requester’s data that requires careful redaction
• Technical difficulties retrieving archived or legacy data that is still in scope

If you’re extending, you must:

• Notify the requester within the initial one-month period that you need more time
• Explain clearly why the request is complex or why multiple requests are involved
• Provide a revised date by which you will respond (no later than three months from receipt)

Remember, you should still respond “without undue delay”. Even with an extension, aim to provide data in batches as it becomes available rather than waiting until the final day if that’s reasonable for your operations.

Can You Refuse Or Charge A Fee?

Generally, you must respond to SARs free of charge. However, you can refuse to comply or charge a reasonable fee for administrative costs if the request is “manifestly unfounded or excessive”. You can also charge a reasonable fee for additional copies of the data, but not for the initial copy.

“Manifestly unfounded or excessive” is a high bar. Consider factors like repetitive requests in a short period, bad faith intent (e.g. threats to make repeated requests), or requests that clearly go beyond the person’s own data. If you’re refusing or charging a fee, you must tell the individual why, and inform them of their right to complain to the ICO and to seek a judicial remedy.

In addition, several exemptions may apply under the Data Protection Act 2018 that allow you to withhold specific information, such as legal professional privilege, confidential references you’ve given, management planning information where disclosure would prejudice negotiations, or data relating to crime and taxation. These are applied narrowly and on a case-by-case basis. If you rely on an exemption, keep a clear record explaining your reasoning.

If you’re weighing up whether an exemption applies, it’s useful to scan a short primer on SAR exemptions before you decide.

A Step-By-Step SAR Process For Small Businesses

Having a simple playbook means you won’t scramble when a SAR arrives. Here’s a practical workflow you can adapt to your organisation.

1) Log And Acknowledge

• Record the date of receipt and assign an owner.
• Send a quick acknowledgement within a few days confirming the statutory deadline and any next steps (e.g. ID verification).

2) Verify Identity (Pause If Needed)

• Ask for reasonable ID where needed, especially if you don’t have an ongoing relationship with the requester or the request is sensitive. The clock can be paused until you receive sufficient ID.

3) Clarify Scope (Pause If Reasonable)

• If you hold large volumes of data, ask the requester to narrow the time period, data types, systems, or keywords. You may pause the clock while awaiting clarification where it’s reasonable and necessary to locate the data.

4) Locate And Collect

• Search core systems (email, CRM, HR/payroll, messaging tools, ticketing systems, file shares, cloud storage, backups as appropriate).
• Request data from any processors under your Data Processing Agreement or partners under a Data Sharing Agreement.

5) Review, Redact, And Apply Exemptions

• Remove or redact third-party personal data unless you have consent or it’s reasonable to disclose.
• Apply relevant exemptions narrowly and document your reasons.
• Check for confidential business information and trade secrets in mixed communications; these aren’t automatically exempt, so consider whether an exemption genuinely applies.

6) Prepare The Response Pack

• Provide a copy of the personal data in a commonly used electronic format, unless the individual requests otherwise.
• Include the required transparency information: purposes, categories of data, recipients, retention period, source (if not collected from the individual), and information about rights and complaints routes.
• Keep a record of exactly what you disclosed and when.

7) Deliver Securely And On Time

• Send via a secure method (e.g. encrypted file link with separate password or secure portal access).
• Communicate clearly and courteously. If anything is withheld, explain what and why, and signpost their ICO rights.

If you prefer a checklist you can copy into your internal playbook, you can adapt the steps from this guide on responding to SAR emails.

What Should Your SAR Policy And Documents Cover?

Putting your process into a short, practical policy saves hours when a request arrives. Aim to cover:

• How staff recognise a SAR (any written request for personal data, in any channel)
• Who logs and triages the request, and your internal SLA (e.g. 5 days) for acknowledgement
• Identity verification steps (and when to pause the clock)
• Reasonable scope clarification wording (and when a pause is justified)
• Search locations and owners for each system (email, CRM, HR, messaging apps, archives, backups)
• Redaction rules and common exemptions (with escalation points)
• Secure delivery methods and template cover letters
• How to record decisions and keep an audit trail

Templates help. Build a friendly acknowledgement, ID check request, scope clarification note, and final response letter. You can adapt a practical SAR template to speed things up.

Finally, make sure your public-facing Privacy Policy tells people how to make a request and where to send it. This reduces misdirected requests and keeps everything flowing to the right inbox.

If you’re setting up your broader privacy framework, a bundled Data Protection Pack can streamline your policies, notices and internal procedures so your SAR process fits neatly into the bigger picture.

Common SAR Pitfalls (And How To Avoid Them)

Most issues we see fall into a handful of patterns. Here’s how to steer clear.

• Mistaking 30 days for one month: Always calculate a calendar month. If you struggle with this, keep a simple calculator workflow or refer to guidance on time limits for DSARs.
• Not pausing when you can: If you genuinely need ID or reasonable scope clarification, pause the clock and document why. Don’t let the time slip while you wait informally.
• Over-redacting (or under-redacting): Redact third-party personal data consistently, but don’t assume you can remove everything uncomfortable. Apply exemptions carefully and keep a note.
• Forgetting processor data: Your processors may hold relevant data. Use your Data Processing Agreement obligations to pull it through quickly.
• Missing the narrative info: A SAR response isn’t just a data dump. Include the required transparency details (purposes, recipients, retention, rights).
• Security gaps in delivery: Use encryption or a secure portal and confirm the recipient before sending anything sensitive.
• No audit trail: Keep a record of decisions, exemptions applied, redactions, and correspondence. This is invaluable if the ICO asks questions.

Key Takeaways

• The standard SAR request timescale is one calendar month from receipt, with an option to extend by up to two months for complex or multiple requests - tell the requester within the first month if you’re extending.
• You can pause the clock while verifying identity or, where reasonable and necessary, while awaiting clarification to help you locate the data.
• Most SARs are free. You may refuse or charge a reasonable fee only if a request is manifestly unfounded or excessive, or for additional copies; apply statutory exemptions narrowly and document your reasoning.
• Follow a simple workflow: log and acknowledge, verify ID, clarify scope, collect from all systems and processors, review and redact, include the required transparency information, and deliver securely.
• Have a short SAR policy, staff training, and ready-made templates so you can respond quickly and consistently. Keep your Privacy Policy clear about how to make a request.
• If your team needs a practical blueprint, adapt a SAR template and keep a reference on SAR timescales close to hand.

If you’d like help setting up a compliant SAR process, reviewing exemptions, or drafting the right documents, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.