DSAR Handling Under UK GDPR: Meeting the One-Month Deadline Without Disclosing What You Shouldn't

A subject access request can arrive in any form: an email to your support inbox, a line in a complaint letter, a comment on a social media post, even a verbal request to a receptionist. There is no prescribed format, no magic words required, and no obligation on the requester to mention "UK GDPR" or "DSAR" at all. The clock starts the moment the request lands — and most organisations don't notice until days have already burned.

Under Article 12(3) of the UK GDPR, you have one calendar month from receipt to respond. The Information Commissioner's Office calculates this from the day after receipt to the corresponding date in the next month. A request received on 15 January is due by 15 February. Miss it, mishandle it, or over-disclose in a panic, and you've turned a routine administrative task into a regulatory and contractual liability.

The hard part isn't the deadline. It's hitting the deadline while redacting third-party data, withholding privileged material, and avoiding the disclosure of information you're legally entitled — or required — to keep back. Speed and precision pull against each other. This post shows our consultants' approach to UK GDPR data subject access request handling that satisfies both.

What a DSAR Actually Obliges You to Do

A data subject access request is the mechanism, under Article 15 of the UK GDPR, by which an individual obtains confirmation of whether you process their personal data and, if so, a copy of that data plus supplementary information. The supplementary information is often forgotten: the purposes of processing, the categories of data, the recipients or categories of recipients, the retention period, and the existence of their other rights.

The right of access covers their personal data — not documents, not entire email threads, not your internal decision-making logic as a whole. This distinction matters. A requester is entitled to the personal data contained within an email, not necessarily the full email if it carries another person's personal data or confidential business content. Confusing "give me my data" with "give me every file my name appears in" is where over-disclosure begins.

You must provide the response free of charge in most cases. The DPA 2018 and UK GDPR allow you to charge a reasonable fee or refuse only where a request is "manifestly unfounded or excessive" — a high bar the ICO interprets narrowly. Repeated requests, or requests with no genuine intent to exercise the right, may qualify, but you carry the burden of proving it. Treat refusal as the exception, documented and defensible, never the default.

Why the One-Month Deadline Bites Harder Than It Looks

One month sounds generous until you map the workflow. You must verify the requester's identity, locate every system holding their data, extract it, review it for third-party and exempt content, redact, compile, and deliver — across HR systems, CRMs, ticketing platforms, shared drives, backups, and increasingly, cloud services your IT team may not have fully inventoried.

You can extend by a further two months where the request is complex or you've received multiple requests from the same individual (Article 12(3)). But the extension is not automatic. You must inform the requester within the original month, explaining the reasons for the delay. Forget that notification and the extension is invalid — you're already in breach.

Identity verification eats into the clock too. You're entitled to confirm identity before responding, and the deadline effectively pauses until you receive what you reasonably need. But "reasonably" is the operative word. Demanding a passport and two utility bills for a request from a known, logged-in customer is disproportionate and won't impress the ICO if they investigate. Calibrate verification to the sensitivity of the data and the risk of disclosing to the wrong person.

The Step-by-Step Process Our Consultants Implement

A reliable DSAR process is built before the first request arrives, not improvised after. Here is the workflow we deploy in client organisations.

1. Log and acknowledge immediately

Route every potential request to a single owner — usually the DPO or a designated privacy lead. Log the date of receipt, acknowledge to the requester, and trigger identity verification the same day. A central log is your evidence trail if the response is ever challenged.

2. Scope the request

Clarify what the individual actually wants. You're permitted to ask a requester to specify the information or processing activities their request relates to where you process a large quantity of data about them (Recital 63). This isn't a stalling tactic — it focuses the search and reduces the risk of dumping irrelevant third-party data into the response.

3. Search comprehensively

Map your data estate in advance. Know which systems hold personal data and who controls each. CloudAuditX surfaces where personal data sits across multi-cloud environments, which is exactly the visibility a DSAR demands. You cannot fulfil an access request for data you don't know you hold.

4. Review and apply exemptions

This is the stage that separates compliant responses from disclosure breaches. Review every item for third-party personal data, legal professional privilege, management forecasting, negotiations, and the other exemptions in Schedule 2 of the DPA 2018. Redact what you must withhold and record why — your reasoning is your defence.

5. Compile and deliver securely

Provide the response in a commonly used electronic format where the request was made electronically. Encrypt the delivery. Sending a packed DSAR response as an unprotected attachment to a misremembered address is itself a personal data breach.

The Mistakes That Turn a DSAR Into a Breach

Over-disclosure of third-party data is the most common and most damaging error. When a requester's record contains another individual's personal data — a colleague named in an HR grievance, a customer mentioned in a complaint — you must not disclose it unless that third party consents or it's reasonable to disclose without consent. Section 45 and the balancing test under the DPA 2018 govern this. Redact names, contact details, and any identifying context.

The second failure is treating DSARs as a purely manual, ad hoc task. When requests are rare, no one owns the process, and the first one in a year triggers a scramble. DSAR process automation — even lightweight workflow tooling that logs receipt, sets deadline reminders, and tracks each stage — removes the human error that drives missed deadlines and inconsistent redaction.

The third is misjudging exemptions in both directions. Some organisations withhold everything defensively, which breaches the right of access. Others disclose everything to be "transparent," which breaches third parties and surrenders privilege. Neither extreme is compliant. Apply each exemption deliberately, item by item, and document the decision.

• Starting the clock late — the deadline runs from receipt, not from when the request reaches the right desk.
• Forgetting the supplementary Article 15 information — a data copy alone is incomplete.
• Invalid extensions — failing to notify the requester within the first month.
• Disproportionate ID checks — using verification to delay rather than protect.
• Insecure delivery — emailing sensitive records without encryption.

A Working Checklist for Response Timeline Compliance

Use this against every request to keep response timeline compliance under control:

1. Receipt logged and acknowledged; one-month deadline calculated and diarised.
2. Identity verified proportionately; clock paused only where genuinely necessary.
3. Scope confirmed with the requester where the data volume justifies it.
4. All systems searched against a maintained data map, including cloud and backups.
5. Each item reviewed for third-party data and Schedule 2 exemptions, with reasons recorded.
6. Response compiled with Article 15 supplementary information and delivered securely.

Build this once, embed it in policy, and rehearse it. A DSAR shouldn't feel like an emergency. For more on operationalising data protection controls, see our insights.

How Pyralink Helps

Pyralink Innovation Ltd builds DSAR processes that hold up under scrutiny. Our consultants — led by Michael Adedeji (CISM, CISA, CC, MSc Data Science) — design the data maps, response workflows, and redaction standards that let your team meet the one-month deadline without disclosing what they shouldn't. We've implemented these controls in production environments, not lifted them from a template.

Where data protection sits inside a wider compliance programme, our fractional vCISO service (from £497/mo) gives you senior privacy and security leadership without a full-time hire. We align DSAR handling with ISO 27001 certification so your access controls, asset inventory, and information classification all support each other. Pyralink carries £5M professional indemnity insurance, so the advice you act on is backed.

Not sure where your personal data lives, or whether you could meet a deadline tomorrow? Start with a scan and a conversation.

Run a free CloudAuditX scan →

Book a free security review →

---

Related Reading

• Section 103 of the Data (Use and Access) Act 2025: Mandatory Complaints Procedures Explained
• Data Protection Officer (DPO): Do You Need One? A 2026 Guide for UK Businesses
• Navigating Post-Brexit Cross-Border Data Transfers under UK GDPR and NIST CSF 2.0