A Data Subject Access Request arrives with a clock attached: one calendar month from the day of receipt. If you are reading this because that clock has already run out, the first thing to know is that what you do next matters considerably more than the fact of the miss itself. If you are reading this because the deadline is approaching and you will not make it, you have more options than you think. Either way, panic produces worse outcomes than process.
The deadline, precisely
Under UK GDPR you must respond to a DSAR without undue delay and at the latest within one calendar month of receipt. The date arithmetic matters: the deadline falls on the corresponding date of the following month; where no corresponding date exists, it is the last day of that month; and where it lands on a weekend or bank holiday, it moves to the next working day. A request received on 31 January is due 28 February, not 3 March.
Two legitimate mechanisms can change that date. First, where a request is complex, or where you have received a number of requests from the same individual, you may extend by up to two further months, provided you tell the individual within the first month and explain why. An extension claimed in week five is not an extension; the right has to be exercised inside the original month. Second, the clock can pause while you take reasonable steps to verify the requester's identity, or where you have genuinely needed clarification to identify the information sought. What does not change the date: being busy, the request being inconvenient, or the requester being in dispute with you. Requests made in the context of grievances and litigation carry exactly the same deadline, and those are precisely the ones most likely to be escalated when missed.
What can happen
The consequences of a missed deadline run on a spectrum, and where you land on it depends largely on your response after the miss.
- A complaint, now with a statutory route to your own door. The individual can complain to the ICO, and DSAR handling failures are among the most common triggers. In addition, under the Data (Use and Access) Act, from June 2026 individuals have a statutory right to complain directly to the organisation, which must operate a process for handling those complaints. A missed deadline with no complaints process behind it is now two failings, not one.
- Regulatory enforcement. The ICO distinguishes between a one-off late response and a systemic failure. A single miss with a credible explanation and a completed response typically ends in advice. A pattern escalates: in 2024 the ICO publicly reprimanded Edinburgh and Glasgow city councils for repeated DSAR deadline failures, with one running a backlog covering close to half of all requests received. Published reprimands carry real reputational cost, particularly for organisations whose clients care about data handling. Monetary penalties remain reserved for systemic or wilful cases.
- Court proceedings. Individuals can apply to court for an order compelling compliance, and can claim compensation for damage and distress. Awards for a late DSAR alone are modest, but the legal costs and disclosure burden of defending one are not.
- The litigation amplifier. Most DSARs that turn expensive sit inside an employment dispute or commercial disagreement. A missed deadline hands the other side a procedural failing to add to their case, and it reliably sours settlement discussions.
The first 48 hours after missing a deadline
- Respond now, even if incomplete. A substantive partial response with a firm date for the remainder is materially better than continued silence, both for the individual and for any later ICO assessment.
- Communicate with the requester. Acknowledge the delay plainly, without legalese, and give the completion date. A significant proportion of complaints are driven by silence rather than lateness.
- Document the timeline honestly. When the request arrived, where it sat, why it was missed. If the ICO asks, a candid account with corrective action lands far better than a reconstructed one.
- Check for siblings. Organisations that miss one DSAR usually have others in flight. Find them before they become the pattern that turns advice into a published reprimand.
Stopping the repeat
Missed DSARs are almost never a legal knowledge problem. They are a process problem: requests arriving through channels nobody monitors, no single owner, searches that start in week three, and redaction underestimated by an order of magnitude. The durable fix is a defined intake route, a named owner with a deputy, a day-one triage that sizes the request and starts the clock management, templates for extension and clarification letters so the legitimate mechanisms get used in time, and now a documented complaints procedure to meet the new statutory route. That is a fortnight of process work, and it converts every future DSAR from a fire drill into administration.
Dealing with a live DSAR, or fixing the process?
We support organisations with both: hands-on help responding to complex or overdue requests, and building the intake, triage, and response process that stops the next one becoming a fire drill. See our DSAR support and download our methodology, or get in touch if the clock is already running.