Can You Extend a SAR Deadline? The Rules Explained

Q: Can you extend a SAR deadline?

Yes — but only where the request is complex or numerous. Under Article 12(3) of UK GDPR, you may extend the response period by a further two months, bringing the total to three months. Crucially, you must inform the individual of the extension within the original one-month period and explain why you are extending.

Q: What counts as a complex SAR?

There is no statutory definition of 'complex', but the ICO guidance points to factors such as: large volumes of data across multiple systems, difficult questions about what data is in scope, applications of multiple exemptions requiring careful assessment, or technical complexity involved in extracting the data. The complexity must be genuine — routine workload pressure does not justify extension.

Q: What happens if you miss the SAR deadline entirely?

Missing the deadline without valid grounds for extension is a breach of UK GDPR. The individual can complain to the ICO, who may investigate and issue enforcement action including fines. In employment contexts, a failure to respond can also have adverse consequences in tribunal proceedings.

The standard deadline for responding to a Subject Access Request is one calendar month from the date the request is received. For many organisations — particularly those dealing with large volumes of data, multiple systems or complex exemption questions — that deadline can feel very tight.

UK GDPR does provide a mechanism for extension. But it comes with conditions that are frequently misunderstood, and misapplying the extension rules creates its own compliance risk.

The One-Month Rule: Where the Clock Starts

Under Article 12(3) of UK GDPR, the response period begins on the day the SAR is received — not the day you open it, not the day you decide it is valid, and not the day the individual confirms their identity (unless you genuinely cannot identify them without further information).

The deadline falls on the corresponding date in the following calendar month. So a SAR received on 10 March must be responded to by 10 April. Where that date does not exist in the following month (e.g. a SAR received on 31 January falls due on 28 or 29 February), the deadline is the last day of that month.

Important

The clock runs from receipt of the request — not from the date you confirm its validity. Even if you have questions about the scope or identity of the requester, the one-month period is already running.

When Can You Extend? The Legal Grounds

Article 12(3) of UK GDPR permits a two-month extension — bringing the total response period to three months — but only in two specific circumstances:

The request is complex — the complexity must relate to the nature of the data involved, the difficulty of applying exemptions, or the technical challenge of extracting or reviewing the data. Volume alone does not automatically constitute complexity, though very large datasets may contribute to it.
There are numerous requests — if you have received multiple SARs simultaneously and responding to all of them within the standard timeframe is genuinely impractical, this may justify extension. Again, this must be a genuine operational constraint, not routine workload management.

Crucially, extension is not available simply because:

Your team is busy or understaffed
The individual is difficult or litigious
You haven't started processing the request yet
The request is inconveniently timed

Risk alert

Claiming an extension without genuine grounds constitutes a breach of the one-month deadline. The ICO does not consider workload pressure or internal resource constraints to be valid reasons for extension. If you extend without proper justification and the individual complains, you face enforcement exposure for the delay plus the unjustified extension.

What Counts as a 'Complex' Request?

The ICO's guidance does not give a precise definition of complexity, but the following factors are relevant:

Volume and breadth of data — a SAR spanning many years, multiple systems and thousands of documents where meaningful review is genuinely difficult within one month
Multiple overlapping exemptions — where careful legal assessment is required to determine what can and cannot be disclosed, particularly where legal privilege, third-party data and special category data intersect
Technical extraction challenges — where data is held in legacy systems, archived formats or across multiple platforms that require specialist extraction before review can begin
Contested scope — where the boundaries of the request are genuinely unclear and require clarification that itself takes time

The complexity must be inherent to the request itself, not to the organisation's internal processes. Having inadequate data management systems that make searching difficult is not the individual's problem — and is unlikely to constitute valid grounds for extension.

The Notification Requirement: What You Must Do Within the First Month

If you are going to extend, you must notify the individual within the original one-month period. This is a mandatory procedural requirement, not optional. The notification must:

Be sent before the original one-month deadline expires
Explain that you are extending the response period
Give the reasons for the extension — specifically why the request is complex or numerous
State the new deadline by which you will respond

There is no prescribed form for the notification, but it should be clear, specific and in writing. A generic "we need more time" message is unlikely to satisfy the requirement — you need to explain why this particular request warrants the extension.

Checklist

Extension notification must be: (1) sent within the original one-month period, (2) explain the specific reasons for extension, (3) confirm the new deadline. Missing any of these elements means the extension is procedurally defective.

What Happens If You Miss the Deadline Entirely?

Failing to respond within one month — without having validly extended — is a breach of UK GDPR. The practical consequences depend on the circumstances:

The individual can complain to the ICO, who will typically contact the organisation and expect a response and remediation plan
The ICO may issue a formal reprimand, an enforcement notice requiring compliance, or in serious or repeated cases, a monetary penalty
In employment contexts, a failure to respond within the deadline can be used against the organisation in tribunal proceedings — creating an adverse inference that relevant data was being withheld
If the delay was significant and the individual suffered harm as a result, they may have grounds for a compensation claim under Article 82 of UK GDPR

Running out of time on a SAR?

If your deadline is approaching and you don't have capacity to handle the review and redaction in time, we can step in. We're on your case within 24 hours — fixed fee, no obligation to continue.

Get a Free Quote →

Practical Tips for Avoiding Deadline Pressure

The most effective way to manage SAR deadlines is to build a response process that doesn't leave the heavy lifting to the final week. Some practical steps:

Acknowledge immediately — send a confirmation the day the SAR arrives, note the deadline in your system, and assign ownership of the response
Scope early — begin mapping data sources within the first few days, before the volume of the task becomes clear only when it's too late to manage
Don't wait for clarity on scope — if you need clarification from the individual, ask quickly, but do not use a request for clarification as a reason to pause the clock without a proper basis
Build a repeatable process — organisations that handle SARs regularly benefit from having a documented workflow with clear roles, so the response process doesn't have to be reinvented each time
Know when to bring in support — if the dataset is large or the exemption questions are complex, specialist support is often faster than handling it in-house under time pressure

Frequently Asked Questions

Can you extend a SAR deadline?

Yes — but only where the request is complex or numerous. The extension adds two months to the standard one-month period, giving a total of three months. You must notify the individual of the extension and the reasons for it within the original one-month period.

What counts as a complex SAR?

Complexity relates to the nature of the data, the difficulty of applying exemptions or technical challenges in extraction. Large volume alone is not automatically sufficient — the complexity must be genuine and relate to the specific request. Internal resource constraints or poor data management practices are not valid grounds.

What must the extension notification include?

The notification must be sent before the original one-month deadline, explain the specific reasons why the request is complex or numerous, and state the new deadline. It should be clear and specific — a generic delay notice is not sufficient.

What happens if you miss the SAR deadline entirely?

Missing the deadline without having validly extended is a breach of UK GDPR. The individual can complain to the ICO, who may investigate and take enforcement action. In employment contexts, it can also have adverse consequences in tribunal proceedings.

Can you stop the clock by asking for identity verification?

Only where you genuinely cannot identify the individual without further information. You may ask for clarification where the request is unclear, but this should be done promptly and does not automatically pause the one-month deadline — it only pauses it where you have reasonable doubts about identity and request verification proportionately.