Understanding the 30-day statutory deadline
UK GDPR requires you to respond to all data subject requests within one calendar month (approximately 30 days) of receiving the request. Missing this deadline without valid extension is a breach of UK GDPR and should be reported to the ICO.
How the deadline works
The clock starts on the day the request is received, not the day you review it or the day you log it in Folelse. If the request arrives on 1 March, your deadline is 1 April (or the next working day if that date falls on a weekend or bank holiday).
The 2-month extension
You can extend the deadline by a further 2 months for complex or numerous requests. You must notify the requestor within the original 1-month period that you are extending, and explain why. Log this notification in Folelse and attach a copy.
- Complex requests — involve a very large amount of data, or require significant effort to retrieve and redact.
- Numerous requests — the individual has sent multiple requests simultaneously.
Folelse deadline indicators
- Green — more than 14 days remaining.
- Amber — 8–14 days remaining.
- Red — 7 or fewer days remaining.
- Critical / Overdue — past the deadline.
If a request is overdue, act immediately. Respond to the individual first, then record and consider whether this constitutes a reportable breach to the ICO (it may do, particularly if it involved special category data).
Requests you can refuse
You can refuse or charge a reasonable fee for requests that are "manifestly unfounded or excessive" — typically meaning the requestor is making the same request repeatedly to cause disruption. Document your reasoning carefully in Folelse and notify the requestor within 1 month.
Need more help with this?
Contact support