Employment Law — DSAR Non-Compliance and Chase Letter Support
They had 30 days
to respond. The clock
has already run out.
A data subject access request carries a statutory 30-day response deadline. When that deadline passes without a response, the organisation is in breach of UK GDPR. A formally drafted chase letter, referencing that breach and the escalation steps available to you, is the most effective way to get the response you are owed.
THE ICO EXPECTS COMPLAINTS TO BE MADE WITHIN THREE MONTHS OF THE LAST SUBSTANTIVE CONTACT
If the organisation has not responded to your DSAR and you have not yet heard from them at all, the three-month window for an ICO complaint runs from the point at which a response should have been provided. The longer you wait before taking formal action, the narrower your escalation options become. If you are unsure where you stand in terms of timing, contact us before booking.

You did everything correctly. You submitted the request. You waited. You are still waiting. That is not acceptable, and it is not the end of the road.
A data subject access request is a statutory right under UK GDPR. Every individual has the right to request access to personal data held about them by any organisation, and every organisation that receives that request has a legal obligation to respond within one calendar month. That obligation is not advisory. It is not discretionary. It is a legal requirement with an independent regulator behind it.
When an organisation fails to respond within 30 days, they are in breach of UK GDPR. When they provide an incomplete response, rely on exemptions they cannot justify, or simply ignore the request entirely, they are in breach of UK GDPR. Most people in this situation do not know what to do with that breach. They send another email. They call and are told someone will look into it. The weeks pass and nothing arrives.
A formally drafted non-compliance letter changes the nature of the interaction. It is not another informal chase. It is a document that names the specific breach, references the statutory obligations the organisation has failed to meet, sets out the steps you are prepared to take if they do not comply, and creates a contemporaneous record of every attempt you have made to obtain what you are legally owed. That document, in the hands of the right person in the organisation, produces results that informal chasers rarely do.
The ICO is the escalation route that gives the chase letter its credibility. The Information Commissioner's Office is the UK data protection regulator. It investigates complaints about organisations that have failed to comply with their data protection obligations, and it has the power to require compliance, issue enforcement notices, and impose significant financial penalties for serious or repeated breaches. Organisations know this. A chase letter that references an ICO referral as the imminent next step is not a bluff. It is a credible statement of exactly what happens next.
In the majority of cases, a properly drafted non-compliance letter produces a response before an ICO complaint is ever necessary. The letter signals that the person making the request understands their rights, has documented the breach correctly, and is prepared to escalate formally. That combination, in our experience, is sufficient to prompt compliance in most cases without the need to go further.
Where the organisation is a law firm, the stakes are higher. A law firm that fails to respond to a data subject access request is not just breaching UK GDPR. It may be failing in its obligations to a former client in a way that is directly relevant to an ongoing complaint or claim. A non-compliance letter in that context carries the weight of both the ICO route and the Legal Ombudsman route, and is drafted to make both paths explicitly visible.
"An informal email asking for an update is easy to ignore. A formally drafted letter naming the statutory breach, the specific obligations that have not been met, and the ICO referral that will follow if they are not, is considerably harder to put to one side."
WE CAN HELP WITH
Non-compliance situations we work with regularly.
01
Complete non-response within 30 days
Where no response of any kind has been received within the one-month statutory period. The chase letter names the specific date the DSAR was submitted, the date by which a response was required, and the fact that no response has been received. It sets a specific deadline for compliance and names the ICO referral that will follow if that deadline is not met.
04
Law firm non-compliance with a client file DSAR
Where a former client has submitted a DSAR to a law firm requesting their client file and associated personal data, and the firm has failed to respond adequately or at all. Law firm non-compliance carries dual escalation potential through both the ICO and the Legal Ombudsman, and the chase letter is drafted to make both routes explicitly visible to the receiving firm.
02
Invalid or late extension claims
Where the organisation has attempted to claim an extension to the response period after the initial month has already elapsed, or without providing adequate reasons. A late or unsupported extension claim does not restart the clock. The breach runs from the end of the original one-month period, and the chase letter makes that position explicit.
05
Employer non-compliance in an employment dispute context
Where a DSAR was submitted to an employer as part of an employment dispute and the employer has failed to respond within the statutory period or has provided a response that is obviously incomplete. In this context the chase letter serves both the data protection purpose and the evidential purpose, and is drafted with awareness of the underlying dispute and what the non-compliance signals about the employer's approach.
03
Incomplete or inadequate responses
Where a response has been received but is clearly incomplete, omits categories of data the organisation demonstrably holds, or provides heavily redacted documents without adequate explanation. The chase letter identifies specifically what is missing, what exemptions have been applied and why they are not adequate, and requests full compliance within a defined period.
06
Preparing for an ICO complaint where the chase letter has not produced a response
Where a chase letter has already been sent and the organisation has still not complied. In this situation we help you prepare the documentation needed for a formal ICO complaint: the timeline of requests and responses, the specific breaches to be reported, and the supporting evidence that demonstrates that the organisation was given every opportunity to comply before the complaint was made.
WHY SAFEGUARD LEGAL
This service is right for some people and not for others. Here is how to tell.
THIS IS RIGHT FOR YOU IF
You submitted a DSAR more than 30 days ago and have not received a response
You received a response that was clearly incomplete, relied on unjustified exemptions, or omitted data you know the organisation holds
An extension was claimed after the one-month deadline had already passed, or without adequate reasons
You have already made a disclosure and are now experiencing detriment you want to document formally
The non-compliant organisation is a law firm, an employer, or any other data controller
You want to put formal pressure on the organisation to comply before making an ICO complaint
THIS IS NOT RIGHT FOR YOU IF
You have not yet submitted a DSAR and need help drafting the original request
You need regulated legal advice on your data protection rights or the lawfulness of the organisation's conduct
You need representation before the ICO or in any formal enforcement proceedings
The ICO three-month complaint window has already closed without any contact from the organisation
They have already missed the deadline. Do not let them ignore the next one.
Use the calculator to get your exact fixed price before committing to anything. It takes under two minutes.
HOW IT WORKS
Four steps. No uncertainty.
01
GET YOUR FIXED PRICE.
Answer a short set of questions about your DSAR submission and the response you have or have not received. The calculator gives you an exact, all-inclusive fee before you pay anything.
02
PAY & BOOK
Pay securely online and book your telephone consultation. Send your original DSAR, any response received, proof of delivery, and the dates of any previous chasers before the session.
03
Consultation and drafting
We go through the timeline, assess the specific breach, and draft the chase letter. It names the breach precisely, sets a clear compliance deadline, and makes the escalation steps explicit. Delivered within 72 hours of consultation.
04
Review and send
Read the draft carefully. One full revision is included. Once finalised, the letter is ready to send. We advise on delivery method and record-keeping, and on what to do if the organisation still does not respond within the deadline given.
We know how these letters are read, and what makes them produce results.
Built inside regulated practice
Our work is grounded in 17 years of experience across regulated law firms, including direct management of Legal Ombudsman complaints and DSAR processes from inside organisations. We know how non-compliance letters land on the desk of a data protection officer, what they do to compliance teams, and what language produces a response that an informal chase never did.
Law Society accredited
Our principal holds a Law Society award in Employment Law, an independently verified micro-credential that reflects the standard against which every piece of work is calibrated. Where the non-compliance sits in an employment dispute context, that background is directly relevant to how the letter is framed and what it achieves beyond the data protection compliance question.
Fixed fee, not hourly
A DSAR non-compliance chase letter is a relatively contained instruction. The fee reflects that. It is agreed before payment is taken, covers everything listed, and does not change regardless of the organisation's response or the time spent on the instruction.
"A formally drafted non-compliance letter, sent to the right person at the right organisation with the ICO referral made explicit, is one of the most cost-effective legal documents we prepare. In most cases it produces the response. In all cases it creates the record."
YOUR FIXED FEE
PLEASE READ
Safeguard Legal is not a law firm and is not regulated by the Solicitors Regulation Authority. The support we provide is legal document drafting and practical guidance, not regulated legal advice. We do not provide regulated legal advice on data protection disputes or claims.
What we provide is experienced, professionally prepared document support built on 17 years inside the UK legal system. The difference is the business model. Not the standard of the work.
FREQUENTLY ASKED QUESTIONS
Questions people ask before booking
What happens if an organisation doesn't respond to a DSAR within 30 days?
An organisation that fails to respond to a data subject access request within one calendar month is in breach of UK GDPR. That breach gives you the right to complain to the Information Commissioner's Office, which investigates non-compliance and can require the organisation to provide the data requested, issue enforcement notices, and impose financial penalties for serious or repeated breaches. Before making an ICO complaint, it is generally advisable to send a formal non-compliance letter giving the organisation a final opportunity to comply. In most cases this produces a response. Where it does not, the letter forms the foundation of the ICO complaint.
How do I complain to the ICO about a DSAR?
An ICO complaint is made through the ICO website. Before making the complaint, you should be able to demonstrate that you submitted a valid DSAR, that the organisation received it, that the response deadline has passed, and that you have given the organisation a reasonable opportunity to comply after being notified of the breach. The ICO expects complaints to be made within three months of the last substantive contact with the organisation. A formally drafted non-compliance letter, sent before the ICO complaint, creates the record you need and gives the organisation the final opportunity the ICO will expect you to have provided.
The organisation says they need more time. Is that allowed?
An organisation may extend the response period by up to two months where the request is complex or where a large number of requests have been received. However, they must notify you of the extension within the initial one-month period and explain why it is needed. An extension notification received after the one-month deadline has already passed is not a valid extension. An extension claimed without reasons is not valid. If an organisation has told you they need more time after the deadline has already passed, or without providing a proper explanation, the breach continues to run and the extension claim does not justify the non-compliance.
I received a response but it seems incomplete. Does this count as non-compliance?
Yes. A response that is clearly incomplete, that omits categories of data the organisation demonstrably holds, that applies exemptions without adequate explanation, or that provides heavily redacted documents without justification is not a compliant response. The organisation's obligation is to provide all personal data they hold about you, not just some of it. Where the response is inadequate, a formally drafted chase letter identifies specifically what is missing, challenges any exemptions that appear to have been applied without justification, and requests full compliance within a defined period.
Will a chase letter actually work?
In the majority of cases, yes. The difference between an informal email asking for an update and a formally drafted non-compliance letter is significant. A formal letter names the specific statutory breach, references the ICO as the next step, and signals that the person making the request understands their rights and is prepared to exercise them. Organisations, particularly law firms and larger employers, have compliance teams and data protection officers who take that signal seriously. They would rather comply at this stage than deal with an ICO investigation. That is why chase letters work in most cases, and why the cases where they do not typically proceed to a straightforward ICO complaint.
Is this confidential?
Yes. Everything you share with us is held in strict confidence and used only for the purpose of preparing your document. We do not share your information with any third parties. Full details are set out in our Privacy Policy.
What if my situation turns out to be more complex than I thought?
The triage calculator identifies complexity before quoting. If your matter falls outside our standard scope because of volume, complexity, or urgency then you will be told immediately and directed to the appropriate support. If additional complexity emerges during the consultation, we will discuss this with you openly before proceeding.
The breach is documented.
Now put it in writing.
Get your fixed price in under two minutes; no commitment required.
.png)