A company refused or ignored my DSAR — what now?

First, check what actually happened

A response that feels like a refusal is not always one. Under the UK GDPR (Article 15), an organisation usually has one calendar month from the date it receives your request and confirms your identity. If that month has not yet passed, the organisation may simply still be within its time. For a complex request it can extend the deadline by up to two further months, but it must tell you about the extension within the first month.

So the first step is to read what you were sent, calmly. Did the organisation ask you to confirm your identity before it starts? Did it explain that part of your data is being withheld under a limited exemption, such as information that would reveal someone else's personal data? Knowing the actual reason tells you which next step fits — a missing identity check is very different from a flat refusal.

• Check the date you sent the request and whether one calendar month has passed.
• Look for any identity-verification step the organisation is waiting on.
• Note any reason or exemption it gave for withholding part of the data.

Send a short, clear follow-up

If the deadline has passed with no reply, or the response is incomplete, a brief written follow-up is often enough. Keep it factual: state the date of your original request, that it was a request for access to your personal data under the UK GDPR, and that you have not received a full response within one calendar month. Ask them to confirm what they hold and to provide the copy you are entitled to.

Put it in writing — email is fine — and keep a copy of what you send and when. A clear paper trail matters if you later decide to escalate. You do not need legal language or a special form; a plain, dated message that references your right of access is enough.

• Reference your original request date and the one-month time limit.
• Ask plainly for confirmation of what they hold and a copy of it.
• Keep dated copies of every message, in case you escalate.

Your right to complain to the regulator

If you have followed up and you are still unsatisfied — the organisation continues to refuse, stays silent past the deadline, or gives an answer you do not believe is right — you have the right to complain to the data-protection regulator. In the UK this is the Information Commissioner's Office (ICO), the independent authority for data protection, at ico.org.uk.

The ICO can look into how an organisation has handled your request. Complaining is free, and you can do it yourself. It is usually worth giving the organisation a clear chance to put things right first, but the route to the regulator stays open to you if that does not work.

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

• You can complain to the ICO at ico.org.uk — it is free, and you can do it yourself.
• Try a clear follow-up with the organisation first, then escalate if needed.
• Keep your dated correspondence to support your complaint.

Frequently asked questions

Related terms

• Data Subject Access Request (DSAR)
• Data protection regulator
• Data controller