What Is the Data Subject Access Request Time Limit?
In the majority of cases, responses to Data Subject Access Requests (DSARs) must be completed within one month after a request has been received with all of the required identification information. However, DSAR responses can be extended by two months for complex or multiple requests.
The deadline for responding to DSARs isn't just an administrative “tick-box” – it’s central to legal compliance and risk management. Missed or poorly-handled DSARs open your organisation to regulatory complaints, enforcement action, civil claims, and investigations from the ICO, and they can quickly damage your organisation’s reputation, too.
This article will help you understand the typical timeframe for completing a DSAR, including the practical and legal factors that can change this timeframe. If you have any further questions about the handling of DSARs, please get in touch with our GDPR experts at Data Driven Legal for a free consultation.
Key Takeaways
- Responses are due one calendar month from a valid request, with the clock starting after any required information (such as ID) has been received.
- You may extend the DSAR response time by two months for complex requests, but you must notify the requester within the first month and justify the extension.
- Missed deadlines carry serious risk, such as regulatory fines, enforcement, legal claims, reputational damage, and commercial loss.
Contents
What Is the Standard Time Limit for a Data Subject Access Request?
Your organisation must respond to the majority of DSARs within one calendar month, starting from the day they receive a valid request. There is also an expectation that requests are handled without undue delay and “as quickly as possible.” The one-month period starts on the day your organisation receives the request. If the same calendar date in the following month falls on a weekend or bank holiday, the deadline automatically moves to the next working day.
The Data (Use and Access) Act 2025 (DUAA) formalises a “stop the clock” mechanism: you can pause the running of the response deadline while you wait for necessary clarification or verification from the requester (e.g. identity checks). Once you receive the required information, the clock restarts.
Practical Example
If your organisation receives a request on 25 November, the one-month deadline would ordinarily be 25 December. However, because 25 and 26 December are bank holidays, the deadline moves to the next working day, which would be 27 December (unless this is on a weekend).
What Extensions May Apply to a DSAR’s Time Limit?
If a DSAR is complex, your organisation may extend the one-month response period by up to a further two months, giving a maximum of three months in total. If you use this extension, you must inform the requester within the first month and explain why the extra time is needed – all extensions must be both reasonable and justified.
Common reasons controllers treat a request as complex include:
- Large volumes of data to locate, review and prepare, e.g. long retention periods or historic records.
- Multiple IT systems or legacy systems: searches across email, CRM, shared drives, backups, and archives.
- Third-party consultations: you may need to ask other organisations for information they hold about the requester.
- Legal exemptions and redaction work: deciding and applying redactions for third-party data, legal professional privilege, or ongoing litigation.
What Should You Include in a Data Subject Access Request Response?
A typical DSAR response will, at a minimum, provide a copy of the requester’s personal data in a commonly used, accessible format.
Where required or best practice, you may also include:
- Confirmation that the organisation is processing the individual’s data.
- Supplementary information about how the data is used, including the purpose of processing, categories of data, recipients, retention period, data source (if not collected directly), and details of the individual’s data rights.
What Are the Consequences of a Late DSAR Response?
Failing to meet the DSAR response time can lead to legal, financial, and reputational harms, including:
- ICO-Issued Reprimands: Formal notices or public criticism that signal regulatory concern.
- ICO-Issued Fines: Monetary penalties may be imposed for serious or persistent breaches of data-protection obligations.
- Enforcement Notices: Directions to take (or stop) specific actions to remedy non-compliance.
Contact Us to Take the Uncertainty Out of DSAR Compliance
Responding to Data Subject Access Requests can be time-consuming, complex, and high-risk if handled incorrectly. By partnering with Data Driven Legal, you can remove that uncertainty with our Fixed Fee DSAR service – managing every stage of the process from data collection to response delivery.
Our team ensures each request is handled lawfully, on time, and with minimal disruption to your business. Get in touch today to learn how we can help you stay compliant and take the stress out of DSAR management.
