E2E Integration, an IT and data protection consultancy based in Cheshire, is cautioning organisations nationwide that avoidable mistakes in handling Subject Access Requests (SARs) are becoming increasingly common, at a time when regulatory scrutiny of response times is intensifying.
The consultancy, which supports organisations with the management and delivery of SAR responses, reports a noticeable rise in demand for its services over recent months. This trend has coincided with ongoing changes to the UK data protection landscape.
In response, E2E Integration has shared guidance highlighting the most frequent pitfalls businesses should avoid when dealing with Subject Access Requests.
“One of the biggest mistakes we see is organisations misunderstanding what a Subject Access Request actually covers,” said Sarah Webb, Director of Data Protection at E2E Integration. “Many assume it only applies to formal documents or HR records, but emails, internal messages, shared drives, cloud systems, and archived data can all be in scope. Overlooking this often leads to delays and incomplete responses.”
Sarah also drew attention to the importance of statutory time limits.
“The biggest risk is time,” Sarah explained. “The one-month legal deadline comes around very quickly, especially when data is spread across different systems or teams. Delays usually happen because it’s unclear who owns the request or where the data sits, rather than because of technical problems.”
“Businesses also need to be aware that the deadline starts from the day a request is received, and the response must be provided by the same date in the following month, or the last day of the month if there is no corresponding date.”
Another common problem identified by E2E Integration is the reactive way organisations deal with SARs once a request arrives.
“Too often, SARs are treated as a one-off emergency,” Sarah added. “Without clear processes and ownership in place, meeting the one-month legal deadline becomes extremely difficult, especially when data is held across multiple systems or teams.”
These issues are becoming more pronounced as the UK prepares for further reform under the forthcoming Data Reform Bill (DUAA). While the proposed legislation is intended to update and streamline the framework, E2E Integration warns that organisations should not interpret it as a reduction in accountability.
“Subject Access Requests are becoming more frequent, particularly in situations involving complaints, employment matters, or disputes,” Sarah said. “Although the law is evolving, organisations will still be expected to demonstrate that they know where personal data is held and how requests are managed.”
E2E Integration works with a wide range of organisations across the UK, including schools and multi-academy trusts, healthcare and care providers, public and third-sector bodies, as well as private businesses. The consultancy notes that SAR obligations apply to any organisation that processes personal data, regardless of scale or industry.
“To reduce risk, organisations need simple, practical processes in place,” Sarah concluded. “Knowing what data you hold, assigning clear responsibility and being cautious about the tools you rely on makes a significant difference. Treating SARs as a normal business process rather than a last-minute scramble is key.”
During 2025, E2E Integration supported organisations in successfully completing 275 Subject Access Requests across multiple sectors.
