What happens if you miss the SAR deadline?

If you miss the one-month SAR deadline, the requester can complain to the ICO. The ICO may investigate and issue an enforcement notice requiring you to respond. In employment tribunal proceedings, missing the deadline can lead to adverse inferences — the tribunal may assume you were concealing something.

Can disclosing a colleague's data in a SAR response be a breach?

Yes. Disclosing a colleague's personal data without a lawful basis — for example, failing to redact their name, email or personal details from documents disclosed in a SAR — is a breach of UK GDPR Article 5 and can itself give rise to an ICO complaint from the third party whose data was disclosed.

The True Cost of Getting a SAR Wrong | ICO Fines & Legal Risk

The consequences of a SAR failure are often described in abstract terms — "ICO enforcement action", "regulatory risk" — in a way that makes them feel theoretical. They are not. UK organisations have faced enforcement notices, financial penalties, employment tribunal defeats and significant reputational damage as a direct result of SAR handling failures.

Understanding the real cost of getting it wrong is the most effective case for getting it right — or bringing in specialist support when you need it.

Failure 1: Missing the Deadline

High RiskOne calendar month. No exceptions.

The UK GDPR deadline for responding to a SAR is one calendar month from the date of receipt. It can be extended by two further months for complex requests — but only if the requester is notified within the original one-month period. Failing to meet the deadline is a breach of UK GDPR Article 12(3).

What actually happens when you miss the deadline:

ICO complaint — The requester can immediately complain to the ICO. The ICO will typically contact the organisation, ask for an explanation, and may issue a formal reprimand or enforcement notice requiring a response.
Employment tribunal adverse inference — In the context of employment disputes, a tribunal may draw adverse inferences from a failure to respond. If a claimant submitted a SAR before or during proceedings and the employer failed to respond, the tribunal may assume the missing data was damaging to the employer's case.
Escalating ICO intervention — Repeated failures, or a failure in combination with other data protection concerns, can trigger a formal ICO investigation and potential monetary penalty.

Real Example

The ICO has issued enforcement notices to a range of organisations — from councils to healthcare providers — for failure to respond to SARs within the statutory deadline. Enforcement notices are published on the ICO website and are a matter of public record.

Failure 2: Over-Disclosing Third-Party Data

High RiskDisclosing a colleague's data without justification

Failing to redact a colleague's personal data — their name, email address, personal details, opinions or sensitive information — from a SAR response is itself a data breach. It is a breach of UK GDPR Article 5 and can expose the third party whose data was disclosed to harm.

The consequences are twofold. First, the third party whose data was disclosed may complain to the ICO or seek compensation. Second, the organisation faces regulatory exposure for failing to apply appropriate data protection measures to the disclosure process.

In HR contexts, this can be particularly damaging. Imagine a disciplinary case where a colleague's witness statement is disclosed in full — including their identity — via a SAR response to the subject of the proceedings. The colleague faces retaliation. The colleague complains to the ICO. The organisation now has two data protection problems instead of one.

Failure 3: Under-Redacting Sensitive Content

High RiskFailing to identify legally privileged or exempt content

Disclosing content that should have been withheld — legal advice, management planning information, confidential references — can waive privilege, expose litigation strategy and breach the DPA 2018 exemption framework. In legal proceedings, this can be severely damaging to the organisation's position.

Legal professional privilege, once waived, cannot be reinstated. If privileged communications are inadvertently disclosed in a SAR response — because the reviewer did not identify them as privileged — the privilege is lost and the disclosed content can be used in proceedings against the organisation.

Failure 4: Failing to Respond at All

High RiskComplete non-response

Failing to respond to a SAR entirely — whether through oversight, resource failure or a mistaken belief that the request is invalid — is the most serious failure category. The ICO takes complete non-responses seriously and is more likely to escalate to formal enforcement than in cases of delayed or incomplete responses.

Failure 5: Inadequate Redaction Documentation

Medium RiskNo audit trail for redaction decisions

Even where the redaction decisions themselves are substantively correct, failing to document the legal basis for each withholding leaves the organisation exposed if challenged. The ICO may ask for justification, and "we thought it should be redacted" is not a defensible answer.

The Financial Cost — Beyond the Fine

ICO fines for SAR failures are not typically the largest financial exposure. The broader costs include:

Employment tribunal awards — Where a SAR failure contributes to an adverse tribunal outcome, the financial exposure can significantly exceed any ICO penalty.
Legal costs — Defending an ICO investigation or tribunal claim arising from a SAR failure generates legal costs regardless of the outcome.
Management time — An ICO investigation requires significant management and legal resource to respond to information requests, prepare submissions and engage with the process.
Reputational damage — ICO enforcement notices are published publicly. For organisations where trust and reputation are commercially important, this can have a lasting impact.

The Cost of Getting It Right

Against this backdrop, the cost of specialist SAR support is straightforward to justify. A fixed-fee SAR case handled by E2E Integration — from £495 for a standard case — provides a complete, on-time, defensible response with a full audit trail. The risk profile of that outcome is fundamentally different from an in-house response that may be late, incomplete or inadequately documented.

The question is not whether SAR support costs money. It is whether the cost of support is proportionate to the risk of the alternative. In most cases where specialist support is the right call, the answer is clearly yes.

Don't let a SAR become a compliance crisis.

E2E Integration delivers complete SAR responses — review, redaction and disclosure pack — with a full audit trail and 100% on-time record. Fixed fee from £495. On your case within 24 hours.

Get a Free Quote →

Frequently Asked Questions

What is the maximum ICO fine for a SAR failure?

Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover for the most serious breaches. In practice, SAR-specific failures tend to result in enforcement notices, reprimands or smaller fines — but the maximum applies to serious or repeated non-compliance. The ICO publishes all enforcement action on its website.

Does a SAR failure automatically result in an ICO fine?

No. The ICO's primary approach to SAR complaints is typically to contact the organisation, request an explanation, and expect remediation. A first-time failure with a remediation plan and a credible explanation is more likely to result in a reprimand or enforcement notice than a significant financial penalty. However, repeated failures, failures in combination with other concerns, or failures involving large-scale data breaches significantly increase the risk of a monetary penalty.