Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, you’ll probably handle personal data every day - customer orders, enquiry forms, marketing lists, employee records, CCTV, support tickets, and more.
That’s exactly why a Subject Access Request (often shortened to “SAR”) can land on your desk at any time. And when it does, one of the first questions is usually:
What’s the GDPR subject access request time limit - and when does the clock start?
Getting the time limit wrong can quickly turn a manageable admin task into an avoidable compliance issue. The good news is: once you understand the rules (and set up a simple process), handling SARs becomes much less stressful.
What Is a GDPR Subject Access Request (SAR) For Businesses?
A Subject Access Request is a request from an individual (the “data subject”) asking you for access to the personal data you hold about them.
In the UK, this right comes from the UK GDPR (as applied in the UK post-Brexit) and the Data Protection Act 2018.
From a business perspective, a SAR can come from:
- a customer who wants to see what information you’ve stored about them;
- a former customer disputing an issue;
- an employee (or ex-employee) asking for copies of emails, HR notes, disciplinary records, or messages;
- a prospective customer asking what marketing data you hold and where it came from;
- someone who appears in your CCTV footage.
It’s also worth knowing that a SAR doesn’t have to say “subject access request” or even “GDPR”. If someone asks for “all the information you hold about me”, that may be a SAR, even if it arrives via an informal email or social media message.
As an employer, you’ll want a clear internal process for handling these requests, especially where your files contain mixed information (for example, a grievance file that includes other staff members). The obligations are explained in more detail in Subject Access Requests.
What Counts As “Personal Data” In Practice?
Personal data is any information relating to an identifiable individual. In a small business, this commonly includes:
- contact details (name, email address, phone number, delivery address);
- order history and payment-related records (not usually full card details, but order metadata);
- support interactions and complaint records;
- marketing preferences and tracking data (where it relates to an identifiable person);
- HR records, absence records, performance notes;
- emails and messages where the person is mentioned or can be identified;
- CCTV where the person is visible and identifiable.
Because SARs can touch so many systems, the time limit is only half the story - you also need a practical plan for locating, reviewing, and responding to data properly.
What Is the GDPR Subject Access Request Time Limit In the UK?
The core time limit is:
You must respond to a subject access request without undue delay and within one month.
In most cases, that “one month” timeframe is the key deadline you should plan around. If you’re building a process internally, assume you’ll need to complete everything within a month unless you have a clear reason to extend (we’ll cover extensions below).
When Does the One-Month Clock Start?
This is where businesses often get caught out.
In general, the one-month period starts when you receive the request (not when you “get around to reading it”). That means:
- if the request hits your support inbox, it has been received;
- if the request goes to a staff member’s email address, it has been received (even if they’re on leave);
- if the request comes through a webform or social message, it has been received.
Practically, this is why it’s so important to train your team to spot SARs and escalate them immediately.
One important nuance: if you reasonably ask for ID to verify the requester’s identity, or you reasonably ask them to clarify what they want, the one-month deadline can effectively “pause” while you’re waiting for their response. Once you have what you reasonably need, the clock starts running again.
Can You Ask For ID First?
Yes - if you reasonably need to verify the requester’s identity (for example, the request comes from an unfamiliar email address, or you hold sensitive data).
But be careful: asking for ID shouldn’t become a “delay tactic”. You should only ask for what is necessary and reasonable in the circumstances.
A good approach is to have an internal checklist and a consistent workflow, supported by tools like an Access Request Form, so you can quickly confirm identity, clarify scope, and start searching your systems.
Is It Always Exactly One Calendar Month?
It’s usually treated as a calendar month (for example, received on 10 March, due by 10 April). If you receive a request near the end of the month, don’t assume you have “30 days” - plan based on the calendar date and work to your earliest reasonable deadline.
If the deadline falls on a weekend or bank holiday, don’t rely on that to “buy time”. The legal timeframe is calendar-based, and you should plan to respond in good time.
When Can You Extend the Time Limit (And By How Much)?
Sometimes, a SAR is genuinely complex - especially for small businesses where data sits across multiple tools (email, accounting software, booking systems, WhatsApp, HR folders, CRM, CCTV).
In the UK, you can extend the subject access request time limit by up to a further two months if:
- the request is complex, or
- you’ve received a number of requests from the individual (or multiple individuals) that make the response burdensome.
That means the maximum timeframe is often up to three months total (one month + up to two months extension), but you need to have a real justification.
You Must Tell Them Within the First Month
If you’re extending, you should inform the requester within one month of receiving the request, explaining:
- that you are extending the timeframe; and
- why the extension is necessary.
In other words: you can’t go quiet for a month and then decide to extend after the deadline has already passed.
What Counts As “Complex” For a Small Business?
There’s no single definition, but complexity could include situations like:
- large volumes of email correspondence spread across multiple mailboxes;
- data that needs careful review because it contains third-party information;
- the need to extract CCTV footage across multiple dates and locations;
- requests involving both customer data and employee/admin data;
- archived systems, backups, or legacy platforms.
The key is to be able to show you’re acting reasonably, promptly, and methodically.
What You Need To Do During the Time Limit (A Practical SAR Workflow)
Meeting the subject access request time limit isn’t just about sending something by the deadline. It’s about responding properly - with the right data, in the right format, and with the right supporting information.
Here’s a practical workflow many small businesses use.
1) Record the Request Immediately
Create a simple internal record that logs:
- date received;
- who received it (and via which channel);
- deadline date (one month, subject to any “pause” while verifying ID or clarifying scope, where reasonable);
- whether an extension might be needed;
- the scope of the request;
- systems searched and results.
This “audit trail” can make a big difference if the requester complains to the ICO later.
2) Confirm Identity (Where Needed)
Confirming identity protects the individual and your business. For example, you don’t want to accidentally disclose someone’s order history, complaint records, or HR file to the wrong person.
Keep the ID request proportionate. In some cases (for example, an existing customer emailing from the same address used for their account), you may not need additional verification.
3) Clarify the Scope (Without Overcomplicating Things)
People often ask for “everything”, but sometimes they only want certain categories of data (for example, “all emails about my complaint”). Clarifying scope can save you a lot of time and reduce the need for an extension.
However, you should be careful not to use “clarification” as a reason to stall. If the request is broad but clear, you still need to progress it.
4) Search Your Systems Thoroughly
Most SAR responses involve pulling data from multiple places, such as:
- your CRM or customer database;
- order management systems and booking platforms;
- email accounts (including shared inboxes);
- work chat tools (where used for customer service or internal discussion);
- HR and payroll systems (for employee SARs);
- CCTV storage solutions;
- paper files (yes - SARs can cover these too).
This is also where having good governance documents and internal rules helps. For example, if your team knows what can and can’t be stored in work tools under an Acceptable Use Policy, it becomes much easier to locate data and reduce risk.
5) Review for Third-Party Data and Exemptions
One of the biggest time sinks is reviewing data to check whether it contains information about other people.
As a business, you may need to redact or withhold parts of documents where disclosure would reveal another individual’s personal data, unless you have a lawful basis to share it or you can anonymise it properly.
There are also legal exemptions that may apply in certain situations. For businesses, the tricky part is applying them correctly, especially in employee SARs or disputes. Guidance on this area is covered in what employers can withhold.
Because exemptions can be technical (and mistakes can create unnecessary conflict), it’s often worth getting advice before you refuse or redact large portions of the data.
6) Provide the Data in an Accessible Form (And Include the Required Information)
Usually, you’ll provide the data electronically (unless the requester specifically asks otherwise). Your response should typically include:
- confirmation that you process their personal data;
- copies of the personal data (subject to redactions/exemptions);
- supporting information such as categories of data, purposes of processing, recipients, retention periods, and details of rights (where relevant).
Make sure you provide the information securely - for example, password-protected files or a secure portal - depending on sensitivity.
What If a Request Is Excessive or Abusive?
In some cases, a SAR may be manifestly unfounded (for example, made with no real intention of exercising data rights and instead to harass), or manifestly excessive (for example, repeatedly requesting the same information without good reason).
If that applies, you may be able to:
- charge a reasonable fee to deal with the request (based on administrative costs), or
- refuse to act on the request.
If you do refuse (or charge a fee), you should be prepared to justify your decision and explain it to the individual, including telling them about their right to complain to the ICO and seek a judicial remedy.
Common Mistakes Small Businesses Make With Subject Access Request Time Limits
Most SAR issues don’t happen because businesses are trying to do the wrong thing. They happen because there’s no process, the inbox isn’t monitored, or the request gets mistaken for a normal customer complaint.
Here are some common pitfalls to watch out for.
Missing the Request Because It Was Informal
A SAR can be valid even if it’s just a casual message like: “Send me everything you have on me.”
Train staff to recognise SAR language and escalate it to a central owner (often the director, operations lead, or office manager).
Starting the Search Too Late
If you only begin gathering documents in week three, you’ll likely struggle to meet the one-month deadline - especially if you need to review emails and redact third-party data.
Start early, even if you’re still clarifying the scope.
Sharing Too Much (Or Too Little)
Over-disclosure can breach third-party privacy rights. Under-disclosure can trigger an ICO complaint.
This balancing exercise is one of the main reasons businesses seek help - particularly where the requester is in a dispute or is a current/former staff member.
Not Having Clear Privacy Paperwork
Your response should align with what you’ve told people about how you use their data, including how long you keep it and who you share it with.
If your public-facing statements are vague or outdated, SARs can expose that quickly. Having a tailored Privacy Policy helps set expectations and supports consistent handling.
Trying to “Solve” the Problem by Deleting Data
If a SAR arrives, deleting relevant data to avoid disclosure is a serious risk. Apart from being poor practice, it can create regulatory issues and damage your position in a dispute.
If you’re worried about what’s in your records, the safer approach is to get advice and respond correctly.
Not Planning for Requests as You Grow
As your business scales, the volume of personal data grows too - and so does the burden of retrieving it quickly.
Many businesses build SAR readiness into their overall GDPR setup, using structured templates and processes like a GDPR package so they’re not scrambling when the first request arrives.
Key Takeaways
- The core subject access request time limit in the UK is one month, and you must respond without undue delay.
- The one-month clock generally starts when your business receives the request, even if it lands in a shared inbox or a staff member’s email.
- If you reasonably need to verify identity or ask for clarification, the deadline can effectively pause while you’re waiting for what you need.
- You can extend the deadline by up to two additional months for complex requests or multiple requests - but you must tell the requester within the first month and explain why.
- You may be able to charge a reasonable fee or refuse a request if it is manifestly unfounded or manifestly excessive - but you’ll need to justify that decision.
- A strong SAR process includes logging the request, verifying identity where needed, clarifying scope, searching systems, reviewing for third-party data/exemptions, and responding securely.
- Common mistakes include missing informal requests, starting too late, over/under-disclosing data, and relying on unclear privacy paperwork.
- If the request involves employee records, disputes, or large volumes of mixed data, it’s worth getting advice early so you can respond confidently and on time.
If you’d like help setting up your GDPR processes or responding to a Subject Access Request within the right timeframe, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
