How long does an organisation have to respond to a SAR?

Under UK GDPR, organisations must respond to a Subject Access Request within one calendar month. They can extend this by a further two months for complex requests, but must inform you within the first month and explain why.

What can I do if my SAR is ignored?

First, send a formal follow-up letter giving them 14 days to respond. If they still don't respond, you can complain to the Information Commissioner's Office (ICO). The ICO has powers to investigate and can order organisations to comply.

Can I complain to the ICO if an organisation refuses my SAR?

Yes. If an organisation refuses your SAR without valid reason, or claims an exemption you believe is wrong, you can complain to the ICO. The ICO will investigate and can order the organisation to provide the data if the refusal was unlawful.

Can I take legal action over an ignored SAR?

Yes. Under section 167 of the Data Protection Act 2018, you can apply to the court for an order requiring the organisation to comply. You may also be able to claim compensation if you've suffered damage or distress due to their failure to respond.

What to Do If Your Subject Access Request Is Ignored

Published: December 2025 · 8 minute read

You've sent a Subject Access Request (SAR) to an organisation asking for your personal data. The one-month deadline has passed. You've heard nothing — or you've received a vague response that doesn't actually provide what you asked for.

This is frustratingly common. Many organisations ignore SARs hoping people will give up. The good news is you have real enforcement options, and the Information Commissioner's Office (ICO) takes these complaints seriously.

This guide explains exactly what to do when your SAR is ignored, delayed, or refused.

Key Deadlines

Organisations must respond to a SAR within one calendar month. They can extend this to three months for complex requests, but must tell you within the first month and explain why. If they miss these deadlines without explanation, they're in breach of UK GDPR.

Step 1: Send a Formal Follow-Up Letter

Before escalating to the ICO, send a formal follow-up letter. This creates a paper trail and gives the organisation one final chance to comply. It also strengthens your ICO complaint if they still don't respond.

Your follow-up letter should include:

Reference to your original SAR and the date you sent it
Confirmation that the one-month deadline has passed
A clear statement that they are in breach of Article 12 of UK GDPR
A deadline of 14 days to provide a full response
Notice that you will complain to the ICO if they fail to respond

Send this by email (for a timestamp) and keep a copy. If you have a postal address, consider sending a hard copy too.

Step 2: Complain to the ICO

If the organisation still doesn't respond — or responds inadequately — you can complain to the Information Commissioner's Office. The ICO is the UK's data protection regulator and has powers to investigate and enforce compliance.

How to Submit Your ICO Complaint

You can complain online through the ICO website at ico.org.uk/make-a-complaint. You'll need:

A copy of your original SAR
Proof of when you sent it (email confirmation, postal receipt)
Any responses you've received (or confirmation of no response)
Your follow-up letter and proof it was sent
A clear explanation of what's happened

Important: The ICO expects you to try to resolve the issue first

The ICO may reject complaints where you haven't given the organisation a reasonable chance to respond. This is why the follow-up letter in Step 1 is important — it shows you've tried to resolve the matter directly.

What Happens After You Complain

The ICO will review your complaint and may:

Contact the organisation to investigate
Request evidence of their response (or lack of it)
Order the organisation to comply with your SAR
Issue a reprimand or enforcement notice
In serious cases, issue a fine

The ICO typically responds within a few weeks, though complex cases can take longer. They will keep you informed of progress.

Step 3: Consider Legal Action

If the ICO route doesn't resolve the issue — or if you need faster results — you can take legal action in the courts.

Court Order to Comply

Under section 167 of the Data Protection Act 2018, you can apply to the County Court (or High Court) for an order requiring the organisation to comply with your SAR. This is a relatively straightforward application if the organisation has clearly failed to respond.

Compensation Claims

Under Article 82 of UK GDPR, you may be entitled to compensation if you've suffered:

Material damage — financial loss caused by not having the data
Non-material damage — distress, anxiety, or inconvenience

Compensation claims can be made alongside an application for a compliance order, or separately. Small claims (under £10,000) can be handled through the County Court small claims track without needing a solicitor.

When Legal Action Makes Sense

Legal action is worth considering when: (1) you need the data urgently and can't wait for the ICO, (2) you've suffered actual harm from not having the data, or (3) the organisation is deliberately obstructing you and you want to send a clear message.

Common Reasons SARs Are Ignored (and How to Address Them)

"We didn't receive your request"

This is why sending by email (with a read receipt if possible) or recorded post matters. If you can prove delivery, this excuse falls apart. Your follow-up letter should reference the original delivery evidence.

"Your request wasn't clear enough"

UK GDPR doesn't require SARs to be in any particular format. If your request made clear you wanted your personal data under data protection law, it's valid. However, if they genuinely need clarification, they should have asked within a reasonable time — not after the deadline passed.

"We need more time"

Organisations can extend the deadline to three months for complex requests. But they must tell you within the first month, explain why, and keep you updated. Simply going silent isn't acceptable.

"We're claiming an exemption"

There are legitimate exemptions under UK GDPR — for example, data covered by legal professional privilege, or data that would reveal information about other people. But the organisation must tell you which exemption applies and why. A blanket refusal without explanation is not valid.

How to Strengthen Your Position

To give yourself the best chance of success:

Keep records of everything — every email, letter, and phone call
Set clear deadlines in your correspondence
Be specific about what data you're requesting
Stay professional — angry letters are less effective than firm, clear ones
Follow up in writing after any phone conversations

Need Help With Your SAR or ICO Complaint?

Clear Draft can help you draft a formal follow-up letter, ICO complaint, or pre-action letter for legal proceedings. Professional documents that get taken seriously.

Request a Quote

What If You're Outside the UK?

UK GDPR applies to organisations based in the UK, or organisations outside the UK that process UK residents' data. If you're outside the UK but dealing with a UK organisation, you still have the right to make a SAR.

The ICO can still investigate complaints from people outside the UK, as long as the organisation being complained about is subject to UK data protection law.

Summary: Your Enforcement Options

When your SAR is ignored, you have three main routes:

Follow-up letter — Give them 14 days and put them on notice
ICO complaint — Free, takes a few weeks, can result in enforcement action
Legal action — Court order to comply and/or compensation claim

Most organisations will comply once they receive a formal follow-up or learn that an ICO complaint has been made. The key is not giving up — your right to access your data is protected by law, and there are real consequences for organisations that ignore it.