An email lands with someone in customer services. It reads: "Please send me a copy of everything you hold about me." No phone call to the data protection officer. No mention of UK GDPR. No use of the phrase "subject access request."
The one month clock started the moment that email was received.
This is how subject access requests (SARs) actually arrive. They don't announce themselves in legal language or arrive through a formal channel with any alerts. They land wherever the requester chooses to send them: the shared inbox, a line manager's personal address, a contact us form on the website, a direct message via LinkedIn or another social media channel. If the first person to see the request doesn't recognise what it is, the organisation is already losing valuable time that it won't get back.
The law on subject access has been clear for years. What goes wrong almost always sits in the workflow. Every organisation the Information Commissioner's Office has reprimanded for SAR failures had a SAR policy. The policy is rarely the problem. The problem is almost always what happens between the request arriving and a response going out.
The Data (Use and Access) Act 2025 is the most significant update to UK data protection law since UK GDPR came into force. It gives controllers new tools, but the tools only really help organisations who have their operational foundations firmly in place.
Any request for personal data, from any individual, through any channel
A subject access request is the right of any living individual to obtain a copy of the personal data an organisation holds about them, together with specified information about how that data is being used. The right sits in Article 15 of the UK GDPR; the procedural obligations sit in Article 12.
Three operational facts matter more than any legal nuance.
A SAR has no prescribed form. It can be verbal, written, emailed, sent by letter, or posted via social media. The requester doesn't need to use the phrase "subject access request" or cite any UK GDPR regulations. Any intelligible request for personal data, no matter the format it arrived in, counts.
A SAR can arrive anywhere in the organisation. The clock starts when the request reaches any employee, not when it reaches the DPO or another employee tasked with dealing with SARs. An informal email to a line manager starts the same one month count down as a formal request sent to an organisations DPO inbox.
The response must be in a plain, intelligible form. Article 12(1) requires it to be concise, transparent, and accessible. The requester is entitled to the personal data itself, plus the supplementary information listed in Article 15(1)(a) to (h): purposes, categories, recipients, retention period, source, and the existence of any automated decision making. A dump of thousands of unindexed documents does not meet compliance standards.
That's the legal spine. Legal judgements recur throughout the thirty days that follow, on exemptions, third party rights, refusal thresholds, but where organisations most often fail is not on a point of law.
What the DUAA 2025 changed, and what it deliberately did not
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. Its main data protection provisions commenced on 5 February 2026 via the Commencement No. 6 Regulations (SI 2026/82).
Three changes matter for SARs.
Reasonable and proportionate search. A new Article 15(1A) requires the controller to provide only what it is able to provide based on a reasonable and proportionate search. This codifies the principle running through UK case law since Ittihadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121. The obligation is not to leave no stone unturned. What counts as reasonable is a function of the size of the organisation, the nature of the data, and the resources available. It isn't a licence to run with a narrow search.
Stop the clock. A new Article 12A allows the controller to pause the one month deadline where it reasonably requires further information for identity verification, clarification of scope, or receipt of a lawfully charged fee. The clock restarts at the latest of those three events. Article 12A(6) gives a worked example: where the controller holds "a large amount of information concerning the data subject," it can legitimately ask the requester to narrow the scope before the clock starts running.
Mandatory complaints handling. Under section 103 of the DUAA, controllers will be required to facilitate complaints, acknowledge them within 30 days, and respond without undue delay. This is not yet in force. It commences on 19 June 2026, but refusal responses already need to signpost the forthcoming right.
The most important precision point of 2026 is about what did not change. The earlier Data Protection and Digital Information Bill proposed replacing the refusal threshold, moving the test from "manifestly unfounded or excessive" to "vexatious or excessive." That proposal was dropped. Article 12(5) is unamended. The test remains manifestly unfounded or excessive, interpreted narrowly, with the burden being on the controller.
The mistaken belief that refusals are now easier is circulating widely in social media commentary. Organisations acting on it will find the ICO unimpressed. The DUAA is a refinement, not a deregulation, and the architecture of the subject access right is essentially unchanged.
Why SARs go wrong in organisations that have policies
Every reprimanded organisation had a SAR policy. Some organisations still don't, and that is a failure point in its own right. But among those that do, the policy is almost never where things break. The workflow is.
The first failure is often when the SAR arrives. A SAR lands with someone who doesn't know they're looking at. Front line staff are trained to handle customer queries, not data protection requests, and the request moves through the organisation on the strength of whoever happens to notice what it is. By the time it reaches the DPO, the response window has often closed on its first week. SAR recognition training for the people most likely to receive one first is probably the single highest-leverage intervention an organisation can make, and yet many organisations fail to do this systematically.
The second failure is scope. SAR policies normally list the systems the organisation expects to search. Yet in reality, organisations often don't have a complete map of where personal data actually lives. Email archives are typically the single largest source of personal data in any business, including sent items, deleted items, and shared mailboxes. Then the estate expands: Teams and Slack histories, CRM free text fields full of unstructured notes, call recordings and meeting auto-transcripts, CCTV and access control data, bring your own devices, and still plenty of paper records in some sectors.
Generative AI interaction logs are their own category. AI prompts staff use, often with attached documents, contain personal data, and AI generated assessments may be produced about individuals who don't know they've been processed. Almost no SAR policy accounts for them yet. Ashley v HMRC [2025] EWHC 134 (KB) confirmed what the law already implied. Limiting a search to a single department or a narrow search window falls short of the statutory standard. The controller must search the organisation as a whole.
In any business that's been running for more than five years, the data map in the policy and the data map in reality are distant relatives. The policy gets updated when someone remembers to. The organisational data estate grows by the day.
Redaction is the third place SARs fall apart. Third party personal data is handled under a balancing test, not a blanket prohibition. Paragraph 16 of Schedule 2 to the Data Protection Act 2018 permits withholding only to the extent that it is not reasonable to disclose without the third party's consent. The test is a case by case assessment of the information, any duty of confidentiality, whether consent has been sought, and whether the third party has expressly refused. Redaction of identifying details is often sufficient. Withholding entire documents because they mention third parties is disproportionate. Over-redaction is as much a failure as under-redaction.
Harrison v Cameron and ACL [2024] EWHC 1377 (KB) tightened this further. Where a data subject asks for the specific identities of recipients under Article 15(1)(c), the controller must in principle provide them, not just the categories. Schedule 2 paragraph 16 can still justify withholding, but the default has shifted. The ICO's December 2025 guidance update incorporates the judgment.
The last common failure is communication. Article 12(1) requires a response in plain, intelligible form. A zipped folder of unindexed PDFs won't meet compliance. A redacted bundle with no explanation of what has been withheld, or why, isn't compliant. The duty when withholding is explicit: disclose everything not exempt, explain what has been withheld and under what exemption in enough detail for the requester to understand, and signpost the right to complain to the ICO and seek a judicial remedy.
The ICO's public register of reprimands traces back to these four failures almost without exception.
No monetary penalties, but the risk has shifted
No monetary penalty has ever been imposed by the ICO specifically for SAR non-compliance. The enforcement reality is quieter and harder to ignore than fines.
Reprimands are the dominant tool. Since 2022 the ICO has reprimanded the Home Office, the Ministry of Defence, Kent Police, Virgin Media, three London boroughs, two Scottish councils, United Lincolnshire Teaching Hospitals NHS Trust, and South Wales Police for SAR failures, among others. Twelve of the thirteen verified SAR specific reprimands target public bodies.
Enforcement notices are rarer and more serious. On 27 August 2025 the ICO issued one against Bristol City Council. It was a legally binding order with a remediation plan. The council had 231 overdue SARs by June 2025, some dating to January 2022, and had responded to only 42% of the 961 requests received between April 2023 and March 2024 within the statutory timeframe. The notice required notification to affected individuals, resolution of the 2022 cases within 30 days, weekly progress updates, and staffing improvements within 12 months. The oldest of those overdue requests had been sitting in the council's systems, unanswered, for more than three years.
The shift that matters most is at the individual level. On 3 September 2025, at Beverley Magistrates' Court, care home director Jason Blake was convicted under section 173 of the Data Protection Act 2018. The request he obstructed had been made by a resident's daughter, acting under lasting power of attorney. The information she was asking for included incident reports, CCTV, and care notes.
Blake was fined £1,100 and ordered to pay £5,440 in costs. It was the first high profile individual director prosecution of its kind. The assumption that SAR obstruction is an organisational risk rather than a personal one is no longer tenable.
Complaint volume paints a different picture from enforcement. Subject access is the most common data protection complaint to the ICO, around 45% of the 35,000 complaints received in 2022–23. Total data protection complaints reached 42,315 in 2024–25. The heaviest sectoral concentration sits in financial services, general business, and online technology, sectors that draw almost no reprimands. Complaint volume doesn't map onto enforcement risk. It maps onto civil claim exposure under section 167 of the Data Protection Act 2018, and onto reputational cost the ICO's enforcement pattern doesn't capture.
What a defensible response actually looks like
A defensible response isn't a perfect response. It's one the organisation can explain.
Recognise the request the moment it arrives. This is a front line training question, not a policy question. The staff most likely to receive an informal SAR should be able to spot one and know exactly where to route it.
Own the clock. One person, normally the DPO or a nominated data protection lead, holds the clock and the documented log. Routing delays are the organisation's problem, not the requester's.
Verify identity proportionately. Where the requester is known to the organisation, heavy handed verification demands simply delay the response. Under the new Article 12A, the clock pauses only where further information is reasonably required.
Scope the search against reality. The map of where personal data actually lives is more important than the one the policy assumes. That map includes email, messaging, meeting transcripts, AI logs, and everything else that has entered the data estate in the last three years.
Apply exemptions narrowly and document the reasoning. Schedule 2 is a set of balancing tests, not blanket blocks.
Use the new tools where they genuinely apply. Stop the clock when scope clarification is needed, not as a general delay tactic, and not as a back door route to declaring a request manifestly excessive. The ICO's own worked example of a four person business asked to review 3,000 emails doesn't find the request excessive. It recommends clarification and summarisation, not refusal.
Communicate clearly throughout, always acknowledge receipt, explain what's being searched, bring attention to any narrowing of scope narrowing. Deliver the response in plain, intelligible form. Inform them about any data that's been withheld and explain why.
The law hasn't softened
The DUAA gives controllers legitimate tools they didn't have before. Reasonable and proportionate search codifies what was already implicit in the case law. Stop the clock provides a disciplined mechanism for scope and identity. Both tools reward organisations with the operational foundations in place: the data map, the recognition training, the routing, and the documented reasoning. Organisations without those foundations will struggle to use the new tools well, and the ICO will are unlikely to be lenient.
Go back to the request that opened this article. The request landed without ceremony and without citing GDPR regulations. Whether it moves to become a fully controlled thirty day response or the opening line of an ICO reprimand depends almost entirely on what happens within the first few hours of its arrival.
