Summary
- You must respond to a Subject Access Request (SAR) within one calendar month, with limited exceptions.
- Extensions of up to two months are allowed for complex requests, and you can pause the clock if further clarification is needed.
- The Data (Use and Access) Act 2025 introduces clarity regarding SAR timeframes and processes, including when the clock starts.
- LegalVision’s data, privacy and IT lawyers specialise in advising businesses on managing SARs, ensuring compliance with UK data protection laws, and helping businesses navigate the complexities of the Data (Use and Access) Act 2025.
Tips for Businesses
To ensure timely SAR responses, implement clear internal processes and assign responsibility for each step of the process. Regularly review and update your SAR policy and keep detailed records, including any extensions or clarification requests. Make sure your staff is trained on the importance of timely compliance and understands how to manage requests effectively, reducing the risk of regulatory penalties and reputational harm.
Handling a subject access request (SAR) can place immediate pressure on your business. You need to locate and review personal data, assess what you can disclose, apply exemptions and redact information, all within strict legal timeframes.
If you miss these deadlines or respond incorrectly, you expose your business to complaints, regulatory action and reputational damage. This article explains how SAR response deadlines work, what has changed under the Data (Use and Access) Act 2025 (DUA Act) and what you should do to stay compliant.
What is a Subject Access Request and Why It Matters
A subject access request allows an individual to ask whether you hold their personal data, obtain a copy of that data and understand how you use it.
In practice, SARs often arise in high-risk situations such as employee grievances, dismissals or customer disputes. This means your response is not just a compliance exercise but has an impact on your legal position.
The right of access is a core part of data protection law. If you fail to respond properly or on time, you risk regulatory investigation, enforcement action, financial penalties and reputational harm. Even where no formal action is taken, delays can escalate disputes and damage trust with customers or employees.
How Long Do You Have to Respond to a SAR?
The Standard One-Month Deadline
You must respond to a valid SAR without undue delay and within one calendar month of receiving it. This is the default position and should be your baseline assumption when managing any request.
When Can You Extend the Timeframe?
You may extend the response period by up to two additional months if the request is complex or the individual has made multiple requests. However, you must act proactively.
When Can You Pause the Timeframe?
In limited circumstances, you may pause the one-month timeframe if you need clarification to process the request.
This typically arises where the request is broad and you hold large volumes of data. You can ask the individual to specify what information they are seeking. The clock pauses from the time you request clarification until you receive a response.
You should only rely on this mechanism where genuinely necessary. If you delay unnecessarily or request excessive clarification, you increase the risk of complaints and regulatory scrutiny.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
How the Data (Use and Access) Act 2025 Changes SAR Timeframes
The Data (Use and Access) Act 2025 (DUA Act) clarifies how you calculate SAR response deadlines. The one-month timeframe remains the same. However, the Act confirms that the clock starts at the latest of when you receive the request, when you verify the individual’s identity or when you receive a lawful fee (which applies only in limited cases).
How to Manage SAR Timeframes Effectively
You need clear internal processes to manage SARs within time.
- Start by updating your SAR policy and ensuring your team can identify requests and understand the applicable timeframes.
- You should also keep detailed records of each request, including any extensions, clarification requests or exemptions. This helps demonstrate compliance if your response is challenged.
- Make sure you know where personal data is stored and who is responsible for accessing it. This allows you to carry out searches efficiently.
- You should also assign responsibility for each stage of the SAR process and use templates for clarification requests and extension notices to ensure consistency.
Key Takeaways
You must respond to a SAR within one month unless a valid extension applies. The DUA Act clarifies when this timeframe starts and how it operates. If you fail to comply, you risk regulatory action, penalties and reputational damage. Clear processes, accurate record-keeping and trained staff are essential to managing SARs effectively.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced data, privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Responding to SARs within strict timeframes is a legal requirement, and failing to do so can result in various penalties and damage your business reputation.
Put simply, the DUA Act amends how you calculate time for compliance. It expands the grounds on which you may delay responding to a request and clarifies the rules on extensions of time. These measures incorporate existing regulatory guidance into legislation, creating a more predictable and certain framework for handling SARs.
We appreciate your feedback – your submission has been successfully received.
