When people ask for their personal data, or complain about how it has been handled, organisations are working against the clock. Under both UK and EU law, the usual rule is a one-month deadline, with only limited room to extend. The pressure is real: data might be scattered across email archives, cloud systems, and HR folders, while the requester is counting down the days. That is why regulators on both sides of the Channel have allowed a “stop the clock” option in certain situations. The UK has now gone further, writing explicit provisions into law through the Data (Use and Access) Act 2025 (DUAA).

For privacy professionals, the question is how to use this extra time without overusing it, how to adapt complaint handling to new UK obligations, and how to keep the trust of the people exercising their rights.

How the UK clock now works

The DUAA makes several key changes to how DSAR deadlines work.

1. When the clock starts

The one-month period only begins once the organisation has:
•    received the request itself
•    obtained any proof of identity that was reasonably required, and
•    received any fee (where the request is manifestly unfounded or excessive)

This avoids losing valuable days while waiting for verification or payment.

2. Pausing for clarification

If a request is unclear or excessively broad, the controller can ask the individual to narrow or clarify the scope.
•    The statutory clock is paused until clarification is received.
•    If no reply comes, the request can be closed.

This is a significant change. Previously, the ICO acknowledged that it was acceptable to pause while waiting for clarification, but this was only set out in regulatory guidance, not in law. 

3. “Reasonable and proportionate” searches

Controllers are now only required to make reasonable and proportionate efforts when searching for personal data. This recognises that exhaustive trawls through vast archives or backup systems are not always practical.

New complaint duty

Alongside DSAR rules, the DUAA creates a statutory right for individuals to complain directly to the controller. Organisations must:
•    provide a clear and accessible complaint process
•    acknowledge within 30 days
•    respond without undue delay

This is a significant change from the strict “all data, wherever it sits” interpretation that sometimes applied under the UK GDPR.

EU rules and guidance

In the EU, the rules remain rooted in GDPR. The one-month deadline is still the default, with the option to extend by up to two additional months where requests are complex. Supervisory authorities consistently stress that extensions should be exceptional, not routine.

Stop-the-clock allowances exist but they are narrower than under the UK's DUAA. If identity is in doubt, the organisation can pause while it checks ID. If the request is broad, it can ask for clarification and pause briefly while waiting. The key difference is that if an individual does not narrow down the scope, the EU approach is still to proceed with the full request, making the best search possible within the original time limit. Closing a request altogether for lack of clarification is not allowed.

Finally, the GDPR does not impose a statutory duty to offer an internal complaint system. Individuals can complain directly to the supervisory authority. While many regulators encourage organisations to handle complaints internally as a matter of good practice and accountability, this is not a legal requirement.

Why this matters

The UK’s more explicit stop-the-clock rules give organisations breathing room, but they also carry a risk of misuse. If clarification is requested too often, or ID checks are demanded without genuine doubt, individuals may feel their rights are being delayed or obstructed. Regulators are alert to this. The ICO has already warned that clarification should only be sought when genuinely needed, not as a blanket policy.

There is also the challenge of proportional searches. What is “reasonable and proportionate” for a small business is very different from a multinational with sprawling IT systems. Without clear boundaries, practices may vary widely. Regulators will expect organisations to document their reasoning: what systems were searched, what was left out, and why that was a fair balance.

On complaints, the UK’s new process may reduce cases reaching the regulator, but it may also frustrate individuals who do not want to go back to the very organisation they are unhappy with. Whether trust improves or erodes will depend on how well controllers take this duty seriously.

Practical lessons

For privacy teams, three habits stand out.

Ask early, act early. If a request is unclear or the identity is in doubt, ask straight away. Waiting until the 28th day to seek clarification is unlikely to be accepted as acting in good faith.

Keep records. When you stop the clock, make a note of when and why. If you decide a backup tape search is disproportionate, record your reasoning. If challenged, this paper trail is your defence.

Treat complaints as opportunities. The easiest path is to treat the complaint as customer service. A quick acknowledgement, a clear explanation, and a fair resolution will often prevent escalation to the regulator. Stonewalling will do the opposite.

Looking ahead

For companies active in both the UK and EU, these differences add complexity. Some may choose to apply the stricter EU approach everywhere to simplify training and systems. Others may take full advantage of the UK’s provisions. Either way, the burden is on organisations to act transparently and explain their processes to data subjects.

There is also a wider policy question. The UK has so far avoided undermining its adequacy with the EU by keeping the higher threshold for rejecting DSARs and by limiting changes to what is seen as pragmatic tweaks. But the EU will watch closely. If UK organisations lean too heavily on proportionality to limit searches, or if the complaint system is used to stall rather than resolve, adequacy could become an issue again.

For now, the message is clear: stop-the-clock is a tool, not a loophole. It is there to make compliance workable, not to delay transparency. Used carefully, it can help organisations meet their obligations more reliably. Used poorly, it will invite complaints, regulator scrutiny, and fines.