How quickly do I need to respond to an SAR?

Under GDPR, you must respond to Subject Access Requests within one month of receipt. This deadline can be extended by up to two additional months for complex or voluminous requests, but you must inform the requester of the extension (and the reasons for it) within the initial one-month period. The clock starts when you receive the request, regardless of channel-an SAR arriving via email at midnight is received at that moment, even if staff don't see it until the next business day.

Other privacy regulations have varying timelines. CCPA requires response within 45 days, extendable by an additional 45 days with notice. UK GDPR (post-Brexit) maintains the one-month standard similar to EU GDPR. When operating across multiple jurisdictions, apply the strictest applicable timeline or establish uniform processes that meet all requirements. Note that some regulations specify calendar days while others use business days-clarify which applies in your jurisdiction.

Build your processes to handle SARs well within required timeframes. If you routinely push against deadlines, any unexpected complexity or volume surge will cause violations. Establish acknowledgment procedures (confirm receipt immediately), verification processes that don't consume excessive time, efficient data retrieval across all systems, and quality review before response delivery. Track SARs from receipt through completion to ensure none fall through cracks. Consider implementing a buffer period internally. If uthe legal deadline is one month, aim to complete responses in three weeks to allow for complications. The deadline isn't a target to hit-it's a boundary you must never cross, so build margin into your processes.