E2E Integration has issued a warning to UK organisations that errors in the handling of Subject Access Requests are becoming increasingly common, just as attention on compliance and response deadlines continues to grow.
The Cheshire-based IT and data protection consultancy, which provides specialist support for SAR management, has seen a clear increase in organisations seeking assistance in recent months. This rise comes amid ongoing updates to UK data protection legislation.
To help organisations respond more effectively, E2E Integration has outlined the most frequent mistakes it encounters when supporting businesses through the SAR process.
“One of the biggest mistakes we see is organisations misunderstanding what a Subject Access Request actually covers,” said Sarah Webb, Director of Data Protection at E2E Integration. “Many assume it only applies to formal documents or HR records, but emails, internal messages, shared drives, cloud systems, and archived data can all be in scope. Overlooking this often leads to delays and incomplete responses.”
Meeting statutory deadlines is another key challenge highlighted by the consultancy.
“The biggest risk is time,” Sarah explained. “The one-month legal deadline comes around very quickly, especially when data is spread across different systems or teams. Delays usually happen because it’s unclear who owns the request or where the data sits, rather than because of technical problems.”
“Businesses also need to be aware that the deadline starts from the day a request is received, and the response must be provided by the same date in the following month, or the last day of the month if there is no corresponding date.”
E2E Integration also notes that many organisations lack consistent processes for dealing with SARs before a request is made.
“Too often, SARs are treated as a one-off emergency,” Sarah added. “Without clear processes and ownership in place, meeting the one-month legal deadline becomes extremely difficult, especially when data is held across multiple systems or teams.”
These pressures are expected to increase as the UK moves towards implementation of the Data Reform Bill (DUAA). Although the legislation is designed to modernise data protection rules, E2E Integration stresses that organisations will still be required to demonstrate effective control over personal data.
“Subject Access Requests are becoming more frequent, particularly in situations involving complaints, employment matters, or disputes,” Sarah said. “Although the law is evolving, organisations will still be expected to demonstrate that they know where personal data is held and how requests are managed.”
The consultancy supports organisations across education, healthcare, public services, the third sector and commercial industries. It emphasises that SAR obligations apply universally to any organisation that processes personal data.
“To reduce risk, organisations need simple, practical processes in place,” Sarah concluded. “Knowing what data you hold, assigning clear responsibility and being cautious about the tools you rely on makes a significant difference. Treating SARs as a normal business process rather than a last-minute scramble is key.”
In 2025, E2E Integration assisted organisations with the successful delivery of 275 Subject Access Requests across a broad range of sectors.
