DSAR10 min read

The One-Month DSAR Clock: When Day One Actually Starts

A DSAR gives your firm one month. The clock starts the day it arrives, not the day someone notices it. Here is what counts as day one, the four ways firms blow the deadline, and how to stop the clock lawfully.

By Daman Kaur

A request lands in a general inbox at 4:40 on a Friday. It does not say "subject access request." It does not mention GDPR. It reads: "I'd like copies of everything you hold about me, including the emails between the partners." It looks like a complaint, so it gets treated like one and sits in a queue.

Three weeks later, someone recognises it for what it is. Now the panic starts, because the deadline is not three weeks away. It is nine days away. The clock has been running since the Friday it arrived.

That is the part firms get wrong most often, and it has nothing to do with the search or the redaction. It is arithmetic. The one-month deadline on a data subject access request is not lost on day thirty. It is lost on day one, by miscounting when day one was.

Day one is the day it arrives, not the day you log it

Start with the rule, because the whole problem lives here. Under Article 12(3) of the UK GDPR, you must respond to a subject access request "without undue delay and in any event within one month of receipt of the request." Receipt. Not triage, not allocation, not the moment the right person opens it.

The ICO's guidance on calculating the time limit is specific about how that month runs. It starts the day you receive the request, whether that day is a working day, a weekend, or a bank holiday, and it ends on the corresponding calendar date the following month. A request received on 3 September is due on 3 October. If there is no corresponding date, because the next month is shorter, you get the last day of that month: a request on 31 March is due 30 April. If the due date lands on a weekend or bank holiday, you have until the next working day.

So the honest way to read the deadline is this. The moment a request touches any part of your firm, the month has begun. The days you spent not recognising it were days off your clock.

Field note: The blunt question I ask a firm is not "how do you handle DSARs?" It is "if a client emailed a paralegal today asking for their file and everything you hold on them, how many days would pass before that started a formal clock?" If the honest answer is "a week, maybe two," the firm is already losing deadlines it has not seen yet.

Because the ICO also notes that the corresponding-date method can leave you a day short in practice, many firms adopt a 28-day working rule instead. Count 28 days from receipt and you are always inside the calendar month, whatever month it is. It is a small discipline that removes an entire category of near-miss.

A DSAR does not announce itself

The reason day one gets missed is that a subject access request has no required form. It does not need to cite Article 15. It does not need the words "subject access." It can arrive by email, by letter, through a web form, over the phone, or buried in the third paragraph of a complaint about a bill.

It can also be received by anyone. A request made to a receptionist, a trainee, or a fee earner's personal work address is received by the firm. The ICO is clear that a request is valid however it is submitted and to whichever member of staff. Your internal routing is your problem, not the requester's, and it does not pause the deadline while the request finds its way to the right desk.

This is why recognition, not response, is the first failure point. A firm can have a competent DSAR process and still blow deadlines because requests spend their first week unrecognised in an inbox nobody owns.

The four ways a firm blows the deadline

Once the clock is running, the month gets consumed in predictable places. In the DSARs I have seen go wrong, it is almost always one of four.

FailureWhere the days goThe fix it needs
Request not identifiedSits in a general or personal inbox, unrecognised, for days or weeksEvery inbound channel triaged against "is this a rights request?" on arrival
VolumeA firm receiving dozens or hundreds cannot process them by hand at the same paceA tracked queue with each request's own deadline, not one shared mental note
The redaction bottleneckReviewing and redacting third-party personal data by eye, page by pageAutomated detection of personal data, with a human confirming the redactions
Poor triageScope never pinned down, so the search sprawls and the exemptions get missedScope and exemptions decided as a first step, logged, before the search starts

The one that surprises firms is the third. They assume the search is the slow part. It is not. Finding the documents is increasingly fast. The slow, unglamorous, deadline-eating step is reading every document for other people's personal data and legally privileged content and redacting it before release.

A subject has a right to their own personal data. They do not have a right to everyone else's. So before anything goes out, someone has to go through the bundle and remove third-party personal data where disclosing it would be unfair, apply the relevant exemptions under the Data Protection Act 2018 (legal professional privilege, management forecasting, negotiations, and others), and confirm what remains is properly the requester's.

Do that across a 40-page bundle and it is an afternoon. Do it across the several thousand pages a contested employment DSAR can generate, by hand, and the month is gone before you have drafted a covering letter. This is the step that turns a routine request into a missed deadline, and it is the step firms consistently under-resource because it is invisible until you are in it.

You can stop the clock, but only lawfully

Here is the part that changed recently, and it is worth getting current on. For contentious or high-volume DSARs, you can now stop the clock, and as of 2026 that sits on a statutory footing rather than just guidance.

The Data (Use and Access) Act 2025 inserted a new stop-the-clock provision into the UK GDPR (Article 12A), and the data-protection provisions were commenced on 5 February 2026. Where you reasonably require further information from the requester to identify the scope of their request, the period between asking and receiving the answer does not count towards the deadline. The Act gives a high volume of data held about the person as an example of when that requirement is genuinely met. The same logic covers pausing while you verify identity, and the Act also confirms you only have to carry out a "reasonable and proportionate" search, not a limitless one.

Two cautions, because this is where firms over-reach. First, the clock only stops for clarification about the information requested, not about anything else, and not as a delaying tactic. The ICO expects you to ask promptly, record the exchange, explain why you need the detail, and be able to justify it. Second, if the request is genuinely complex or you have received a number of them from the same person, you can extend by up to two further months under Article 12(3), but you must tell the requester within the first month and give your reasons. An extension you claim on day 29 without warning is not a lawful extension. It is a missed deadline with a note attached.

What happens when the clock runs out

A missed DSAR is not a quiet internal failure. The requester can complain to the ICO, and DSAR complaints are among the most common the regulator receives. The ICO can require you to respond, and a pattern of late responses is the kind of systemic issue that invites closer attention.

The sharper risk for a law firm is context. DSARs rarely arrive in a vacuum. They cluster around disputes: an exiting employee, a client in a fee argument, the other side in a matter fishing for what you hold. A blown deadline in that setting hands the requester a free grievance, and it lands on top of whatever the underlying dispute already is. The data failure becomes a second front.

What a tracked, triaged process looks like instead

The firms that do not miss DSAR deadlines are not working harder. They have removed the two failure points that matter: recognition and tracking.

A request is triaged the moment it arrives, from any channel, against a simple test of whether it engages a data subject's rights. If it does, it starts a clock dated from receipt, not from recognition. Scope gets pinned down as a first step, with any clarification request logged and the pause recorded against the deadline. The search runs, personal data belonging to third parties is detected automatically, and a human confirms the redactions rather than hunting for them line by line. The response is assembled as a draft and held for the DPO to review and release. Nothing goes out on its own.

That is exactly the workflow the Privacy and Data Protection Agent is built to run: DSARs triaged and tracked to the one-month deadline, PII detection and redaction applied before review, and every response held as a draft for the DPO. It sits alongside the other privacy work a firm has to keep straight, from Article 28 processor agreements to the PIA-versus-DPIA triage that decides which assessment a new project even needs. If you want the wider picture on why client data and consumer AI tools do not mix, we wrote that up in is ChatGPT confidential for lawyers.


LegalAI Space builds AI agents for legal teams with a governance layer that makes every output verifiable, compliant, and audit-ready. Sign up for early access or book a pilot call with Founder Daman Kaur.


FAQ

When does the one-month DSAR clock start? It starts on the day you receive the request, not the day you recognise it, log it, or route it to the right person. The ICO calculates the month from the date of receipt, including if that falls on a weekend or bank holiday, ending on the corresponding calendar date the next month. Because a request can be received by any member of staff through any channel, the safest reading is that the clock starts the moment the request touches the firm.

Does a DSAR have to mention "subject access" or GDPR? No. A subject access request has no required wording or format. It does not need to cite Article 15 or use the phrase "subject access request." Any request from an individual for their own personal data counts, whether it arrives by email, letter, web form, phone, or inside a complaint about something else.

Can you stop the clock on a DSAR? Yes, in defined circumstances. Since the Data (Use and Access) Act 2025 provisions came into force on 5 February 2026, where you reasonably need further information to identify the scope of a request, the period between asking and receiving it does not count towards the deadline. You can also pause while verifying identity. It cannot be used as a delaying tactic: the ICO expects you to ask promptly, keep records, and justify the request.

Can you extend a DSAR deadline? Yes. Under Article 12(3) of the UK GDPR you can extend by up to two further months where the request is complex or you have received a number of requests from the same person. You must tell the requester within the first month and explain the reason. An extension claimed after the month has run is not valid.

How long can you take to respond to a DSAR? One month from receipt as standard, extendable by up to two further months for complex or numerous requests, plus any lawful stop-the-clock period while you seek clarification or verify identity. In practice, treating the limit as 28 days from receipt keeps you safely inside the calendar month.

What is the slowest part of responding to a DSAR? Redaction, not searching. Reviewing every document for third-party personal data and privileged content and removing it before release is the manual step that consumes the month, especially on high-volume or contentious requests. Finding the documents is comparatively fast.


Sources

  • UK GDPR, Article 12(3). A controller must provide information on action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt, extendable by two further months where necessary taking into account the complexity and number of the requests, with the data subject informed of any extension within one month.

  • ICO, Time limits for responding to data protection rights requests and Right of access guidance. The month is calculated from the day of receipt (including weekends and bank holidays) to the corresponding calendar date the next month; a valid request can be made to any part of an organisation, in any format, and need not mention "subject access" or the UK GDPR.

  • Data (Use and Access) Act 2025. Inserts a stop-the-clock mechanism into the UK GDPR (Article 12A) where a controller reasonably requires further information to identify the scope of a subject access request, and confirms that searches need only be reasonable and proportionate. The data-protection provisions were commenced on 5 February 2026 by SI 2026/82.

  • Data Protection Act 2018. Sets out the exemptions that apply to subject access, including legal professional privilege and provisions protecting third-party personal data, which govern what must be redacted before release.