How quickly must DSARs be answered?

Under GDPR, you must respond to Data Subject Access Requests within one month of receipt. This period begins when you receive the request, regardless of the channel through which it arrives-email, postal mail, web form, phone call, or any other means. The one-month clock doesn't pause while you verify identity or gather data; those activities must happen within the response window.

For complex or numerous requests, you can extend the response period by up to two additional months. However, you must inform the requester of the extension and the reasons for it within the initial one-month period. Extensions should be used only when genuinely necessary-routinely extending deadlines may be seen as obstructing data subject rights. Document the complexity that justified any extension.

Other jurisdictions have different timelines: CCPA allows 45 days, extendable by 45 more with notice; UK GDPR maintains the one-month standard. If you operate across multiple jurisdictions, build processes that meet the strictest applicable requirement. In practice, aim to complete responses well before deadlines. If uyou routinely finish in three weeks, unexpected complications won't cause violations. Track all DSARs from receipt to response completion, and establish escalation procedures for requests approaching their deadline. Deadlines for DSARs aren't suggestions-they're legal requirements, and missing them is a compliance violation that can trigger regulatory action.