Subject Access Requests and Complaints: The Overlooked Link

Many data protection complaints do not start with a serious breach or misuse of personal data. Instead, they begin with something far more routine: a mishandled subject access request (SAR).

In practice, we often see complaints escalated to senior management, trustees, regulators, or even the ICO, not because an organisation acted unlawfully at the outset, but because expectations were not managed and processes did not align. Understanding the link between SAR handling and complaints is therefore critical to reducing risk and avoiding unnecessary escalation.

How SAR failures trigger complaints

A SAR is often an emotionally charged request. The individual may be in dispute with the organisation, exiting employment, or questioning how decisions affecting them were made. A delayed response, unclear explanation, or inconsistent handling can quickly be perceived as obstructive or negligent.

Common triggers include missed deadlines, allegations of ‘incomplete’ disclosures, a poorly-drafted privacy notice, over-reliance on exemptions, or contradictory messaging between teams. Even where the legal position is sound, poor communication or lack of transparency can drive frustration and lead directly to a formal complaint.

Once a complaint is raised, the original SAR becomes heavily scrutinised. What might have been a manageable request can escalate into an extended correspondence trail, increased regulatory risk, and significant internal cost.

The importance of procedure alignment

SAR processes and complaints handling procedures are often drafted and operated in isolation. That is a missed opportunity.

Alignment with your privacy notice, policies, and procedures ensures that issues are identified early, explanations are consistent, and individuals understand how to raise concerns without immediately escalating externally.

From June 2026, organisations will also be required to have a clear process for handling data protection complaints, making this alignment even more important. A data protection complaints procedure will help you stay one step ahead by preparing yourself for complex issues surrounding data protection rights (and help you stay on the right side of the law).

Joined-up documents reduce risk, support staff confidence, and demonstrate compliance with the accountability principle.

Response deadlines: Why timing matters

Under UK GDPR, organisations must respond to a SAR without undue delay and in any event within one month. That period may only be extended by up to a further two months where the request is complex or numerous, and individuals must be informed promptly of any extension.

Missed deadlines are one of the most common reasons individuals complain to the ICO. Importantly, the clock starts on receipt of the request, not when it is logged internally or passed to the correct team. Where SAR handling processes are not well understood across the organisation, deadlines are easily missed.

Clear escalation routes, ownership, and diarised review points are essential. From a complaints perspective, being able to demonstrate that deadlines were monitored and decisions reviewed can be just as important as the substance of the response itself.

Record keeping: Evidence is critical

When a complaint is made, organisations must be able to show what was done, when, and why. Practically, that means keeping clear records of:

• When the SAR was received and acknowledged;
• Any clarification sought;
• Decisions on searches, scope, and exemptions; and
• Communications with the requester.

Without this audit trail, it becomes difficult to defend complaints or demonstrate accountability. A complaints handler stepping into the matter should be able to understand the SAR journey quickly and consistently, without having to reconstruct it from emails or assumptions.

Managing complex or vexatious requests

Some SARs are genuinely complex. Others may be excessive in volume, repetitive, or accompanied by lengthy correspondence generated to exert pressure rather than clarify issues. UK GDPR allows organisations to manage these situations, but only where decisions are taken carefully and documented properly.

Problems arise where teams improvise responses or apply different thresholds without reference to a shared procedure. If one team treats a request as manageable while another labels it vexatious, any subsequent complaint is far harder to resolve.

A well-designed process (ideally codified in a procedure) should support proportionate decision-making, senior sign-off where needed, and clear explanations to individuals about how their request is being handled.

Key takeaway

If your organisation treats SARs and complaints as separate issues, escalation risk increases. Reviewing how your SAR handling feeds into complaint resolution – and ensuring both processes work together – can prevent routine requests from becoming regulatory problems.

Seeking early legal input

Seeking legal input only once difficulties have arisen can significantly increase regulatory risk. Early advice enables organisations to respond to SARs lawfully, defensibly and proportionately, reducing the likelihood of complaint or escalation.

Why instruct Tozers?

We pride ourselves on being more than just lawyers; we are your strategic partners. As a top firm for client satisfaction, we’ve built our reputation on listening first and talking second. We specialise in turning legalese into easily actionable and practical steps, ensuring you feel confident and informed at every step of your data protection journey.

If you need assistance with SARs, policies and procedures, or staff training, speak with us today.

Contact our legal experts