Cheshire, UK. February 3rd, 2026 – E2E Integration, a Cheshire-based IT and data protection consultancy, is warning organisations across the UK that many are making avoidable mistakes when handling Subject Access Requests, as scrutiny around response times increases.
The company, which helps organisations handle and respond to SARs, has seen a clear increase in demand for support in recent months, as changes to UK data protection legislation continue.
Now, they are sharing their advice with businesses on the most common mistakes to avoid when handling Subject Access Requests.
“One of the biggest mistakes we see is organisations misunderstanding what a Subject Access Request actually covers,” said Sarah Webb, Director of Data Protection at E2E Integration. “Many assume it only applies to formal documents or HR records, but emails, internal messages, shared drives, cloud systems, and archived data can all be in scope. Overlooking this often leads to delays and incomplete responses.”
Sarah also highlighted that organisations need to watch out for statutory deadlines.
“The biggest risk is time,” Sarah explained. “The one-month legal deadline comes around very quickly, especially when data is spread across different systems or teams. Delays usually happen because it’s unclear who owns the request or where the data sits, rather than because of technical problems.”
“Businesses also need to be aware that the deadline starts from the day a request is received, and the response must be provided by the same date in the following month, or the last day of the month if there is no corresponding date.”
Another recurring issue is the way organisations respond to SARs only once a request is received.
“Too often, SARs are treated as a one-off emergency,” Sarah added. “Without clear processes and ownership in place, meeting the one-month legal deadline becomes extremely difficult, especially when data is held across multiple systems or teams.”
These challenges are increasing as the UK prepares for changes to data protection law under the upcoming Data Reform Bill (DUAA). While the legislation aims to modernise the framework, E2E Integration stresses that it should not be seen as reducing responsibilities for organisations.
“Subject Access Requests are becoming more frequent, particularly in situations involving complaints, employment matters, or disputes,” Sarah said. “Although the law is evolving, organisations will still be expected to demonstrate that they know where personal data is held and how requests are managed.”
E2E Integration works with organisations across the UK, including schools and multi-academy trusts, healthcare and care providers, public and third-sector bodies, and commercial businesses. However, the consultancy emphasises that any organisation holding personal data can receive a SAR, regardless of size or sector.
“To reduce risk, organisations need simple, practical processes in place,” Sarah concluded. “Knowing what data you hold, assigning clear responsibility and being cautious about the tools you rely on makes a significant difference. Treating SARs as a normal business process rather than a last-minute scramble is key.”
In 2025 alone, E2E Integration supported organisations with the successful completion of 275 Subject Access Requests, across a range of businesses and sectors.
ENDS