DSAR Response Deadlines: How Long Do You Have?

How Long Do You Have to Respond to a DSAR?

The answer depends on which law applies, and the differences matter. Get the deadline wrong, and you are looking at regulatory complaints, fines, and the kind of attention no small business wants.

Here is the straightforward answer, followed by everything you need to know about extensions, when the clock starts, and what happens when you miss it.

The Deadlines at a Glance

Notice a pattern? Almost every regulation gives you roughly 30 to 45 days as a standard deadline, with extensions bringing the total up to about 90 days maximum. The regulators have broadly aligned on this, which is one of the few convenient things about the current privacy landscape.

But there are important nuances in each one that can catch you out. Let's go through them.

EU GDPR: 30 Calendar Days

Under Article 12(3) of the GDPR (GDPR Article 12(3)), you must respond to a data subject access request without undue delay and in any event within one month of receipt of the request.

When Does the Clock Start?

The clock starts on the day you receive the request. Not the day you read it, not the day you forward it to the right person, and not the day you get around to dealing with it. The day it arrives.

There is one nuance: if you need to request identity verification, the European Data Protection Board (EDPB) has indicated that the clock can be treated as starting when you receive sufficient information to verify the requester's identity — but only if you ask for verification promptly. If you wait two weeks before asking for ID, you do not get to restart the clock from day 14.

Calculating the Deadline

"One month" means one calendar month, not 30 days. If a request is received on January 15, the deadline is February 15. If received on January 31, the deadline is the last day of February (February 28 or 29).

If the deadline falls on a weekend or public holiday, you have until the next working day.

Extensions Under GDPR

You can extend by up to two additional months (three months total) if the request is:

• Complex — for example, it involves large volumes of data, multiple systems, significant redaction of third-party data, or the application of exemptions
• Numerous — you have received a high volume of requests from the same individual in a short period

To use the extension, you must:

1. Notify the requester within the initial one-month period — you cannot just go silent and respond in month three
2. Explain why the extension is necessary — "we're busy" does not cut it; you need a genuine reason related to the complexity of the request
3. Give a revised deadline — tell them when they can expect the response

Using the extension should be the exception, not the rule. If you are extending every request, that signals a process problem, not complex requests.

UK GDPR / Data Protection Act 2018: 30 Calendar Days

The UK rules are virtually identical to the EU GDPR rules (UK GDPR Article 12(3)), which makes sense since the UK GDPR was transposed directly from the EU GDPR.

• Standard deadline: One calendar month
• Extension: Up to two additional months for complex or numerous requests
• Must notify the requester within the first month if extending

The ICO (Information Commissioner's Office) provides detailed guidance on calculating timelines that aligns with the EU approach. One thing the ICO has been clear about: requesting identity verification does not formally "stop the clock," but the ICO takes a practical view. If you asked for verification promptly and the requester took two weeks to provide it, the ICO is unlikely to find against you for responding a few days late.

That said, do not game this. The ICO can tell the difference between a genuine verification need and a stalling tactic.

CCPA / CPRA (California): 45 Calendar Days

The California Consumer Privacy Act gives businesses 45 calendar days to respond to a consumer's request to know (Cal. Civ. Code § 1798.130(a)(2)), which is California's version of a DSAR.

When Does the Clock Start?

The clock starts when you receive the request, regardless of how it was submitted. CCPA regulations require businesses to provide at least two methods for consumers to submit requests (for online-only businesses, at a minimum an email address and a web form).

Extensions Under CCPA

You can extend by one additional 45-day period (90 days total) if:

• The extension is "reasonably necessary"
• You notify the consumer within the original 45-day period
• You provide a reason for the extension

CCPA-Specific Wrinkle: Verification Timelines

Under CCPA, the verification process has its own timing considerations. The regulations require you to verify the consumer's identity before disclosing personal information, and the level of verification required depends on what type of data is being requested:

• Categories of data — requires a "reasonable degree of certainty" (match at least two data points) (Cal. Civ. Code § 1798.130)
• Specific pieces of data — requires a "reasonably high degree of certainty" (match at least three data points) plus a signed declaration under penalty of perjury (Cal. Civ. Code § 1798.130)

The clock still starts at receipt, but if the consumer fails to provide verification information after you have requested it, you can notify them that you cannot process the request without it. If they never verify, you do not have to provide the data — but you need to document this properly.

PIPEDA (Canada): 30 Days

Canada's Personal Information Protection and Electronic Documents Act requires organizations to respond to access requests within 30 days of receiving the request.

Extensions Under PIPEDA

PIPEDA allows extensions in limited circumstances, including:

• When meeting the deadline would unreasonably interfere with the activities of the organization
• When additional time is necessary to convert the personal information into an appropriate format

If you need to extend, you must:

1. Send the requester a notice of extension within the original 30 days
2. Include the new deadline
3. Explain why the extension is needed
4. Inform them of their right to complain to the Privacy Commissioner of Canada

The extension period is not as clearly defined as in GDPR (there is no explicit "up to two additional months" rule), but extensions should be reasonable and proportionate.

US State Privacy Laws: 45 Days (Generally)

Beyond California, a growing number of US states have enacted comprehensive privacy laws. Most follow a similar pattern:

The 45-day standard with a 45-day extension has become the de facto template for US state privacy laws. If you have your process calibrated for a 45-day turnaround with the ability to extend to 90, you will be covered for most US regulations.

When Does the Clock Actually Start?

This question comes up constantly, and the answer is less ambiguous than you might hope.

The General Rule: Date of Receipt

For every major privacy law, the clock starts when you receive the request. Not when you open it, not when you assign it to someone, not when you understand it.

What Counts as Receipt?

• Email: When the email arrives in the inbox it was sent to — even if no one reads it for a week
• Letter: When the letter is delivered to your business premises
• Phone call: When the call takes place (this is why you should ask verbal requesters to put it in writing)
• Web form: When the form submission is recorded in your system
• Social media: When the message is delivered to your account

The Identity Verification Question

As mentioned above, there is an informal understanding (particularly under GDPR) that if you promptly request identity verification, the practical clock can start from when verification is received. But this is not a formal rule, and you should not rely on it to add weeks to your timeline.

The safe approach:

1. Acknowledge the request immediately
2. Request identity verification immediately (same day or next business day)
3. Start your data search while waiting for verification
4. Do not delay any other steps while waiting

This way, even if the verification takes a few days, you have not wasted any time.

Extensions: How to Use Them Properly

Extensions exist for genuinely complex situations, not as a routine buffer. Here is how to use them without getting into trouble.

Valid Reasons for Extending

• The request covers a large volume of data across multiple systems
• Significant redaction is needed to protect third-party data
• The request raises complex exemption questions that need legal analysis
• You have received multiple requests simultaneously and genuinely cannot process them all within the standard deadline
• The data involves technical formats that need conversion

Invalid Reasons for Extending

• You are short-staffed
• You forgot about the request
• You are busy with other work
• You want to buy time to figure out whether you need to comply
• The requester is difficult

How to Communicate an Extension

When you extend, your notification to the requester should include:

1. Acknowledgment that you are extending the deadline
2. The reason for the extension (in plain English — do not just cite the law)
3. The new deadline
4. Confirmation that you are working on the request

Example:

We are writing to inform you that we require additional time to respond to your data access request dated [date]. Your request involves data across multiple systems and requires careful review to ensure third-party data is properly protected. We are extending our response deadline by [X] days/months. You can expect our full response by [new date]. We are actively working on your request and will provide it as soon as possible.

What Happens If You Miss the Deadline?

Missing a DSAR deadline is not the end of the world, but it is a problem you want to avoid. The consequences escalate depending on how badly you miss it and what you do about it.

A Day or Two Late (With Communication)

If you have been communicating with the requester throughout and your response arrives a few days late, the practical risk is low. Most regulators and most requesters will not escalate over a minor delay if the response is thorough and you were transparent about the timeline.

That said, "it's only a few days" is not a legal defense. You were still late.

Significantly Late (Weeks or Months)

This is where problems start. The requester may:

• Complain to the regulator — the ICO in the UK, a DPA in the EU, the Attorney General in US states
• Take legal action — individuals have a private right of action under GDPR and some US state laws
• Post about it publicly — reputational damage is real, especially for B2C businesses

Complete Silence (No Response at All)

This is the worst scenario. Ignoring a DSAR entirely is a clear violation under every privacy law. It signals either incompetence or willful disregard, and regulators treat it accordingly. See our detailed guide on what happens if you ignore a DSAR for the full picture on fines and consequences.

Practical Advice: If You Are Going to Be Late

If you realize you are going to miss the deadline:

1. Communicate immediately — contact the requester before the deadline passes, not after
2. Explain why — be honest about the reason for the delay
3. Give a firm new date — and meet it
4. Provide what you can — if you have part of the data ready, consider providing a partial response with a commitment to complete the rest by a specific date
5. Document everything — your records of the delay and your efforts to resolve it are your defense if the requester complains

Practical Tips for Meeting Deadlines

Build Your Process for Speed

• Have a data inventory ready — know where personal data lives before a request arrives
• Use templates — do not draft responses from scratch each time (see our DSAR response templates guide)
• Assign clear ownership — one person should be responsible for each DSAR from start to finish
• Set internal deadlines — your internal deadline should be at least 5-7 days before the legal deadline, to give yourself buffer for reviews and unexpected issues

Automate What You Can

• Set calendar reminders for each deadline
• Use a tracking spreadsheet or tool to monitor open requests
• Create email templates for acknowledgments and follow-ups
• If you receive DSARs regularly, consider tools that automate the data collection step

Do Not Wait

The number one reason small businesses miss DSAR deadlines is procrastination. The request arrives, no one is sure what to do with it, it gets set aside, and three weeks later someone realizes the deadline is in seven days.

Start working on every DSAR the day you receive it. Even if "work" on day one is just logging the request, acknowledging it, and requesting identity verification — that is progress, and it keeps the request from becoming a crisis.

Calendar Days vs. Business Days

One final point that catches people: almost every DSAR deadline is measured in calendar days, not business days. Weekends and holidays count toward your deadline.

The one small exception: if your deadline falls on a weekend or public holiday, most laws give you until the next business day. But the countdown itself always includes weekends and holidays.

So if you receive a GDPR request on a Friday, your 30-day clock started Friday — not the following Monday.

References

• General Data Protection Regulation (GDPR): Article 12(3) — timelines for response to data subject requests. GDPR Article 12
• California Consumer Privacy Act (CCPA): Cal. Civ. Code § 1798.130(a)(2) — 45-day response period. Full text on the California Legislative Information site
• UK GDPR / Data Protection Act 2018: ICO guidance on the right of access, including response timelines. ICO right of access guidance
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)

Stay on Top of Your Deadlines

Our DSAR Compliance Guide includes a deadline calculator, process timeline, and tracking templates to help you manage DSAR deadlines without breaking a sweat. Get it set up once, and you will never scramble to meet a deadline again.

Download the DSAR Compliance Guide