How long do I have to respond to a subject access request?
Under UK GDPR, you have 1 calendar month from receipt of a valid subject access request (SAR) to respond. You can extend this by a further 2 months for complex or numerous requests — but you must tell the individual within the first month that you're extending and why.
Full answer
A Subject Access Request (SAR) is when an individual asks to see the personal data you hold about them. Under UK GDPR Article 15, this is a legal right — and your response deadlines are strict.
Standard deadline: 1 calendar month The clock starts when you receive a valid request. A 'valid' request can be made verbally or in writing, by any means — email, letter, social media message, phone call. You don't have to have a formal SAR form.
- Inform the individual within the first month that you're extending
- Explain why the extension is necessary
- Confirmation of whether you process their data
- A copy of all personal data you hold about them
- The purposes of processing
- Who you share it with
- How long you keep it
- Their rights (to rectify, erase, object)
Can you charge a fee? No — SARs must be free. Exceptions exist for manifestly unfounded or excessive requests.
Can you refuse? In limited circumstances (manifestly unfounded, excessive, or overlapping with third-party rights). But you must document your reasoning carefully.
What happens if you miss the deadline? The individual can complain to the ICO. The ICO can require you to comply, issue a reprimand, and potentially fine you. Late or poor SAR responses are one of the most common ICO complaint triggers.
Practical tip: Appoint one person as your SAR coordinator and log all requests from the moment they arrive.
Get compliance answers specific to your business
Alice monitors your sector, alerts you to changes, and answers your questions — inside ComplianceAlert.
Related questions
How long do I have to report a data breach UK?
Under UK GDPR, you must report a personal data breach to the ICO within 72 hours of becoming aware of it — if it's likely to result in a risk to people's rights and freedoms. The clock starts when you (as an organisation) become aware, not just when it's confirmed.
What are GDPR fines for small businesses UK?
The ICO can fine businesses up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious UK GDPR breaches. For less serious breaches, the cap is £8.7 million or 2% of turnover. In practice, small business fines are much lower, but they do happen.
Do I need to give an employment contract from day one?
Yes. Since April 6, 2020, employers must provide a written statement of employment particulars on or before the employee's first day of work. This replaced the old 2-month rule. Failure to do so is automatically an unlawful act.