Compliance Cover
Data subject access requests: responding within 30 days
Back to Resources
GDPR 10 min read

Data subject access requests: responding within 30 days

How to handle data subject access requests under UK GDPR. Covers what requesters are entitled to, the 30 day response deadline, exemptions, and setting up efficient processes.

RH

Rachel Hughes

2026-03-11

What is a data subject access request?

A data subject access request (DSAR) is a request from an individual to see the personal data an organisation holds about them. Under UK GDPR, people have the right to access their data, understand how it is being used, and receive a copy of it.

Any individual can make a request, whether they are an employee, customer, supplier contact, or member of the public whose data you hold. The request does not need to use specific wording. Anything that indicates someone wants access to their personal data counts as a DSAR.

Organisations must respond within one calendar month, providing the information free of charge in most cases. Getting this wrong can lead to complaints to the Information Commissioner's Office (ICO) and potential enforcement action.

See how it works: MyPolicyHub stores your DSAR procedures and response templates.

What requesters are entitled to

When someone makes a valid DSAR, they are entitled to confirmation that you hold their data, access to that data, and certain supplementary information about how you use it.

Confirmation and access

First, confirm whether you process personal data about them. If you do, provide a copy of that data in a commonly used electronic format unless they ask for something else.

Supplementary information

Beyond the data itself, you must provide:

  • The purposes of your processing
  • The categories of personal data concerned
  • Who you have shared the data with (or categories of recipients)
  • How long you will keep the data (or criteria for determining this)
  • Their rights to rectification, erasure, restriction, and objection
  • Their right to complain to the ICO
  • The source of the data if you did not collect it directly
  • Whether automated decision making is involved

Format of the response

Provide the information in a concise, transparent, and easily accessible way. If the request was made electronically, respond electronically unless they ask otherwise. Use clear language rather than legal jargon.

Related reading: GDPR compliance checklist for UK SMEs

The 30 day deadline

You must respond without undue delay and at the latest within one calendar month of receiving the request. This means one month from the date of receipt, not the date you got around to looking at it.

When does the clock start?

The countdown begins when you receive the request, regardless of which channel it arrives through. A request on social media counts the same as a formal letter. Make sure all potential contact points know how to recognise and escalate DSARs immediately.

Extending the deadline

For complex or numerous requests, you can extend by a further two months. But you must tell the requester within the first month that you are extending, explain why, and still provide a response within the extended timeframe.

What counts as complex?

Genuinely complex requests involve large volumes of data, technical difficulties in retrieval, or the need to consult with third parties. A request is not complex just because it is inconvenient or you are busy.

Explore the platform: MyPolicyHub tracks DSAR deadlines and sends reminders as due dates approach.

Verifying the requester's identity

Before disclosing personal data, you must be confident you are giving it to the right person. Disclosing someone's data to an impersonator would itself be a data breach.

Reasonable verification

What counts as reasonable depends on context. For an employee making a request through their work email, little additional verification may be needed. For a request from an unknown email address, you might ask for ID or other confirmation.

Do not use verification to delay

Verification should not become an obstacle course. Only ask for what you reasonably need. The clock keeps running while you verify, so do it quickly.

Third party requests

Sometimes someone makes a request on behalf of another person, such as a solicitor acting for a client. Verify they have authority to act. A letter of authority or evidence of legal representation is usually sufficient.

Finding the data

Locating all personal data about someone can be challenging, especially if data is scattered across multiple systems, mailboxes, and paper files.

Where to look

  • HR systems and personnel files
  • Email (including archives)
  • CRM and customer databases
  • Finance and payment systems
  • Shared drives and cloud storage
  • Paper records
  • Backup systems
  • CCTV footage

Searching emails

Email searches often return large volumes. You need to review everything to identify personal data and check for exemptions. This is time consuming but necessary.

Other people's data

Search results often contain other people's personal data mixed in. You must redact third party information unless those individuals consent or it is reasonable to disclose without consent.

Exemptions

Not all data must be disclosed. UK GDPR includes exemptions that may apply to some or all of a request.

Third party data

If disclosing the requested data would reveal information about another identifiable person, you may refuse unless that person consents or it is reasonable to disclose without consent. Consider whether redaction would allow partial disclosure.

Legal privilege

Information subject to legal professional privilege is exempt. This includes confidential communications between a person and their legal adviser for obtaining legal advice.

Confidential references

References given or received in confidence for employment, education, or training are exempt from disclosure.

Management planning

Data processed for management forecasting or planning may be exempt if disclosure would prejudice those activities. This is a narrow exemption requiring genuine prejudice, not merely inconvenience.

Crime and taxation

Exemptions exist where disclosure would prejudice the prevention or detection of crime, apprehension of offenders, or assessment or collection of taxes.

See how it works: MyPolicyHub maintains your exemption guidance and decision templates.

Refusing or charging for requests

Most DSARs must be handled free of charge, but there are limited circumstances where you can refuse or charge a fee.

Manifestly unfounded requests

If a request is clearly made in bad faith, for example as harassment or with no genuine interest in the data, you can refuse. The bar is high, and you must be able to demonstrate why the request is unfounded.

Manifestly excessive requests

For requests that are excessive, particularly due to repetition, you can charge a reasonable fee or refuse. Consider the volume of data, resources required, and whether the requester is making repeated similar requests.

If you refuse

Inform the requester within one month, explain your reasons, and tell them they can complain to the ICO or seek a judicial remedy. Keep records of your decision making.

Practical tips for efficient handling

Have a process

Do not figure it out from scratch each time. Have a documented process that staff know and follow. Template letters, checklists, and clear escalation paths speed things up.

Act immediately

Start work as soon as a request arrives. Delaying makes the deadline harder to meet and creates stress later.

Log everything

Record when the request was received, what steps you took, any communications with the requester, and how you reached decisions about exemptions. This protects you if challenged.

Senior ownership

Someone senior should own the DSAR process and ensure requests do not get lost. In larger organisations, this might be the Data Protection Officer or equivalent.

Train your team

Anyone who might receive a DSAR should recognise one and know what to do. A request sent to a generic inbox and ignored is still a missed deadline.

FAQs: data subject access requests

Can employees make DSARs?

Yes. Employees have the same rights as anyone else. Expect DSARs from current and former employees, particularly in grievance or disciplinary situations or following termination.

What if we cannot find any data?

If after reasonable searches you hold no data about the requester, tell them. A nil return is still a valid response and must be made within the deadline.

Can we ask why they want the data?

You can ask, but they do not have to tell you, and their reason does not affect their rights. Motive only becomes relevant if you are considering whether a request is manifestly unfounded or excessive.

What if the request is vague?

You can ask for clarification to help locate the data. The clock pauses while awaiting clarification, but you must ask promptly and specifically.

Getting DSAR handling right

Data subject access requests are a routine part of data protection compliance. With good processes, they are manageable. Without them, every request becomes a scramble that risks missed deadlines and incomplete responses.

Build the capability now: document your process, train your people, and have systems to track requests against deadlines. When requests arrive, you will handle them efficiently rather than panic.

Ready to simplify data protection compliance? Join the Founding Partner waitlist to see how Compliance Cover helps you manage policies, track deadlines, and demonstrate compliance across your organisation.

RH

Rachel Hughes

Data Protection Officer at Compliance Cover. Certified GDPR practitioner helping UK businesses navigate data protection requirements.

Ready to become audit-ready?

See how Compliance Cover can transform your audit preparation from weeks to minutes.

Start your free trial Book a demo