The ICO (Information Commissioner’s Office) has updated its guidance (August 2019) on the timescale for a Subject Access Request (SAR). 

First of all, what is a Subject Access Request (SAR)?

Under the General Data Protection Regulation (GDPR), an individual can request a copy of the data an organisation holds on them. The request may require the details on why the data is being processed, what type of data this is, any recipients of the data, the length of time it’s been stored, how it was collected and evidence on how this data is being safeguarded. A SAR has no cost to the individual under the new Data Protection Act, unlike previous legislation which allowed up to £10 charge.

How long do you have to respond to a Subject Access Request (SAR)?

Under updated guidelines, a SAR must be responded to, within one (1) calendar month*, and the day of receiving the request counts as day 1. For example, a request received on the 3rd of September requires a response by the 3rd October. The full guidance can be found here 

This timescale clearly shows how important it is for organisations, big and small, to ensure all data collected is well stored, easy to manage all whilst being secure. Without these points, a SAR can become a time-consuming and burdensome process, which if not followed can lead to GDPR fines (up to 4% of annual global turnover or €20 million, whichever is greater ).

We have written a recommended  6 step approach to address a SAR,  this should make it easier for your organisation to deal with such a request. 


*However, if the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day.