A customer asked for their data — you have 30 days (UK DSAR guide)
On this page
Short answer: under UK GDPR, anyone can ask for a copy of all the personal data you hold on them — a subject access request, or DSAR — and you have one calendar month to respond, free of charge. The clock starts the moment they ask, not when you get round to reading the email. For most small stores the hard part isn’t the deadline; it’s knowing where all the data actually lives.
What is a subject access request?
A DSAR is a person exercising their right of access under UK GDPR. They can ask you to confirm whether you hold data about them, to give them a copy of it, and to explain how and why you use it. It doesn’t have to be formal — an email, a message, even a verbal request can count. There’s no special wording; “send me everything you have on me” is a valid DSAR.
The 30-day clock (and when it can extend)
You must respond without undue delay and within one month of receiving the request. The month runs from the day you receive it. It is normally free — you can’t charge just for complying.
The deadline can be extended by up to a further two months where a request is complex or where someone has made a number of requests, but you have to tell the person about the extension (and why) within the original month. You may also ask for reasonable information to confirm the requester’s identity before you start, which can pause the clock — but you can’t use verification as a stalling tactic.
What you actually have to provide
At minimum, a DSAR response includes:
- Confirmation that you’re processing their personal data;
- A copy of that personal data;
- The supporting information — why you use it, who you share it with, how long you keep it, and their rights.
“Their personal data” is broader than a store owner expects. It isn’t just the order record. It can live in your email marketing platform, your helpdesk and chat logs, your reviews app, your analytics, your CRM, and your inbox. If it identifies that person and you hold it, it’s usually in scope.
Why the deadline is not the hard part
A month sounds generous until you try to collect everything. The real difficulty is that customer data is scattered across your app stack, and most stores have never mapped where it all sits. When a request lands, the scramble begins: which tools hold this person’s data, how do you export it, and are you confident you’ve found all of it?
That’s an operational readiness problem, and it’s the same underlying gap behind most compliance stress — the business grew, the tools multiplied, and nobody kept a map. The stores that handle DSARs calmly are the ones that already know where personal data lives before anyone asks.
How to be ready before the request lands
Readiness comes down to knowing your data map: which connected tools hold personal data, and how you’d retrieve a single person’s records from each. Keeping that current is exactly the kind of thing that slips — which is why it helps to check it continuously rather than rediscover it under a deadline. GuardianStack’s checks surface the tools processing customer data so the map is there when you need it; the free public check gives you the outside-in starting point in about 30 seconds.
The bottom line
A DSAR is a one-month, no-charge obligation that can arrive any day, by any channel. The deadline is manageable; the scramble to find scattered data is not. Map where personal data lives now, keep it current, and a request becomes a routine task instead of a fire drill.
Sources
The primary sources behind this guide — check them yourself:
Frequently asked questions
How long do I have to respond to a DSAR in the UK?
One calendar month from receiving the request, free of charge. It can be extended by up to two further months for complex or numerous requests, but you must tell the requester about the extension and the reason within the first month.
Can I charge for a subject access request?
Usually no — you must respond free of charge. You can only charge a reasonable fee, or refuse, where a request is manifestly unfounded or excessive, and you'd need to be able to justify that. A fee can't be used to discourage legitimate requests.
What data do I have to include in a DSAR response?
All the personal data you hold about the person, plus supporting information: the purposes of processing, who you share the data with, how long you keep it, and their rights. Personal data can sit across many tools — email platforms, helpdesk, analytics, CRM — so a complete response usually means checking each.
See where your store actually stands
Run a free outside-in compliance check of your website — no login required, results in about 30 seconds.
Run the free website check