The key UK subject access request statistics in one place — the share of ICO complaints the right of access accounts for, how many DSARs organisations receive, what a single request costs to fulfil, who sends them, and what enforcement looks like when the one-month deadline is missed — with the data period next to every figure.
The right of access — exercised through the subject access request (SAR, often DSAR) — generates more complaints to the Information Commissioner's Office (ICO) than any other data protection issue in the UK. The core numbers on this page are computed directly from the ICO's quarterly data protection complaints CSVs and its Annual Report 2024/25, with employer-side volume and cost figures from EY Law's DSAR survey and the Guardum/Sapio Research cost study, and the rule changes drawn from the Data (Use and Access) Act 2025.
Key facts and figures
- 41.9% of all data protection complaint cases the ICO completed in 2024/25 had the right of access as the primary issue — 14,386 of 34,346 cases.
- 44.7% — the right-of-access share of completed ICO complaint cases in Q2 2025/26, the highest quarterly share published so far.
- 15,848 complaints about subject access reached the ICO between April 2022 and March 2023 — the surge behind its 2023 employer SAR guidance.
- £4,884.53 and 66 working hours — the average cost of fulfilling a single DSAR at UK organisations (2020 study).
- 27 DSARs a month were received by the average UK data protection officer in the same 2020 research.
- 60% of organisations reported a year-on-year increase in DSAR volumes in EY Law's 2023 survey.
- 31% of DSARs come from current or former employees — more than from any other group, including customers on 30% (2020).
- ~21,000 SARs went unanswered on time at the Home Office in 2021 — part of the ICO's seven-organisation SAR crackdown of September 2022.
These are the latest figures available as of July 2026, and the two main refresh points are the ICO's quarterly data protection complaints CSV, published around six weeks after each quarter ends, and the ICO Annual Report each July.
Is the right of access the ICO's most common complaint?
Yes — right of access was the primary issue in 41.9% of all data protection complaint cases the ICO completed in 2024/25: 14,386 of 34,346 cases, computed from the ICO's four quarterly complaints CSVs covering April 2024 to March 2025. It is the largest complaint category by a wide margin — no other single issue comes close to its share. The ICO logs these cases under two codes, both of which are SAR complaints in practice: 8,110 cases recorded as "Art 15 – Right of access" and a further 6,276 as "Art 15(3) – provide a copy of the personal data".
The share is still climbing. In Q2 2025/26 (July–September 2025) right-of-access complaints reached 44.7% of completed cases (4,187 of 9,361), and in the latest published quarter, Q3 2025/26 (October–December 2025), the share was 43.3% (3,748 of 8,646).
| Period | Right-of-access cases | All completed complaint cases | Share |
|---|---|---|---|
| FY 2022/23 (Apr 2022 – Mar 2023) — complaints received, for scale | 15,848 | Not comparable (received, not completed) | — |
| FY 2024/25 (Apr 2024 – Mar 2025) | 14,386 | 34,346 | 41.9% |
| Q2 2025/26 (Jul – Sep 2025) | 4,187 | 9,361 | 44.7% |
| Q3 2025/26 (Oct – Dec 2025) | 3,748 | 8,646 | 43.3% |
The share figures are computed from the ICO's published per-case complaints datasets; each quarterly CSV covers cases completed in that quarter, and the table is updated as each new file lands. The 2022/23 row uses a different measure — subject access complaints received, the figure the ICO itself cited when launching its employer guidance — so it is shown for scale rather than as part of the share series.
The pressure is not new. The ICO received 15,848 complaints about subject access between April 2022 and March 2023 — the surge that prompted it to publish dedicated SAR guidance for employers in May 2023. And the dominance is easy to explain: a SAR is free to make, needs no lawyer and no special wording, and comes with a hard, checkable deadline of one calendar month — so when an organisation misses it, the requester knows immediately and the complaint practically writes itself.
For denominator context, the ICO received 42,881 data protection complaints in total in 2024/25, up from 39,721 in 2023/24 — a rise of around 8%. Trend analysis of those totals, and of how the ICO itself performs in handling them, lives on our ICO complaints statistics page; this page is scoped to the right-of-access slice. One methodological note: the 41.9% share is a share of cases completed during the year (34,346), which is a different denominator from complaints received (42,881).
How many DSARs do UK organisations receive?
The average UK data protection officer received 27 DSARs a month in the Guardum/Sapio Research study of UK organisations (2020), and research by The Data Privacy Group (November 2021) put large firms at between 6 and 28 requests a month. Volumes have grown since those baselines were set: in EY Law's 2023 survey of more than 500 financial-services data protection professionals, 60% of organisations reported a year-on-year increase in DSAR volumes (based on FY2021–22 handling data).
How requests are handled explains why the workload bites. 88% of organisations deal with DSARs fully in-house, and 58% still process them manually, with 46% using some form of technology to assist (EY Law, 2023). Manual handling is where the hours — and the missed deadlines — come from: a SAR can arrive at any part of the organisation, verbally or in writing, without ever using the words "subject access request", and front-line staff have to recognise it before the one-calendar-month clock is even acknowledged. Our individual rights guide walks through the full handling process step by step.
The same EY survey found that 51% of organisations had received complaints from data subjects about their DSAR handling — a striking figure given that every one of those complaints can also be escalated to the ICO, where it joins the right-of-access pile documented above.
How much does it cost to process a subject access request?
The average DSAR cost UK organisations £4,884.53 and 66 working hours to fulfil, according to the most-cited UK study, by Guardum and Sapio Research (2020). At the top end, the same research found large UK businesses spending around £1.59 million and 24 person-years on DSAR fulfilment every year.
Later research points the same way. The Data Privacy Group (November 2021) put the typical cost at roughly £1,000 per request, with DSARs costing individual UK businesses between £72,000 and £336,000 a year depending on volume. Gartner's global benchmark — the standard figure in international comparisons — prices a single manually fulfilled DSAR at around £1,200 ($1,406–$1,524, 2019–2022 estimates).
| Cost measure | Figure | Source and data period |
|---|---|---|
| Average cost of fulfilling one DSAR (UK) | £4,884.53 | Guardum / Sapio Research, 2020 |
| Average staff time per DSAR (UK) | 66 working hours | Guardum / Sapio Research, 2020 |
| Annual DSAR spend, large UK businesses | ~£1.59 million (24 person-years) | Guardum / Sapio Research, 2020 |
| Typical cost per request (UK) | ~£1,000 | The Data Privacy Group, November 2021 |
| Annual DSAR cost per UK business | £72,000 – £336,000 | The Data Privacy Group, November 2021 |
| Global benchmark per manually fulfilled DSAR | ~£1,200 ($1,406 – $1,524) | Gartner, 2019 – 2022 estimates |
Where does the money go? The hours sit in searching across email, HR and line-of-business systems, reviewing every document that mentions the requester, and redacting third-party personal data before disclosure — all work that scales with how much data the organisation holds and how scattered it is.
A caveat worth stating plainly: the UK cost baselines date from 2020–2021, and they remain the standard citations because no study of comparable scale has replaced them. With 60% of organisations reporting rising volumes since then (EY Law, 2023), real annual DSAR spend today is likely to sit above these figures, not below them.
Who sends the most DSARs — employees or customers?
Current and former employees send 31% of DSARs — more than any other group — with customers close behind on 30% (Guardum, 2020). That employee share is the single most important fact for DSAR workload planning, because employee requests are typically the heaviest to fulfil: they reach across years of email archives, HR files, appraisal records and manager notes, and every mention of the requester has to be found, reviewed and — where it names someone else — redacted.
The timing of employee requests matters too. SARs have become a standard tool in workplace disputes: they frequently arrive mid-grievance, mid-disciplinary or ahead of an employment tribunal claim, when the requester (or their adviser) is using the right of access as a disclosure route. That is precisely the pattern that pushed subject access complaints to the ICO to 15,848 in 2022/23 and led the regulator to publish employer-focused SAR guidance in May 2023, aimed squarely at HR teams fielding requests from their own staff.
The message for employers is blunt: the group most likely to send you a DSAR is also the group most likely to know your deadline, most likely to complain if you miss it — and already inside your building.
What happens if an organisation misses the SAR deadline?
Missing the deadline is the most common route into ICO enforcement on the right of access. The statutory deadline is one calendar month from receipt, extendable by up to two further months for complex or numerous requests, and the ICO acts where failure is systemic. In September 2022 it reprimanded seven organisations in a single sweep over SAR backlogs, including:
- The Ministry of Defence — a backlog of around 9,000 unanswered subject access requests.
- The Home Office — roughly 21,000 SARs left unanswered within the statutory deadline between March and November 2021.
- Virgin Media — missed the deadline on 14% of the roughly 9,500 DSARs it received in a six-month period.
Enforcement has continued since. In December 2024 the ICO reprimanded United Lincolnshire Teaching Hospitals NHS Trust for failing to answer 32% of SARs within the statutory one calendar month (covering March 2021 to March 2022).
Note what the sanction usually is: SAR failures typically attract reprimands and enforcement notices rather than monetary penalties — public criticism plus mandated improvement, rather than a fine. The UK's fine ledger, including which breaches do draw penalties, is tracked separately on our GDPR fines statistics page. For the individual, the practical remedies for a missed deadline are a complaint to the organisation, a complaint to the ICO — where right-of-access cases already make up more than two-fifths of the workload — and, in principle, a court order and compensation for damage or distress.
How does the Data (Use and Access) Act 2025 change SAR rules?
The Data (Use and Access) Act 2025 — Royal Assent 19 June 2025, with provisions commencing in phases into 2026 — makes two changes that directly affect how SARs are handled.
- "Stop the clock" — the one-month response period can now be paused while the organisation reasonably waits for the requester to clarify the request or verify their identity, resuming when the information arrives.
- Reasonable and proportionate search — organisations are required to conduct a reasonable and proportionate search for the requester's data, but are not obliged to search every conceivable location regardless of cost or effort.
Both concepts existed before as ICO guidance positions; the DUAA puts them into statute, which gives organisations firmer ground when scoping a search or pausing the clock — and gives requesters a clearer test to challenge against. The one-calendar-month deadline itself is unchanged, as is the rule that the first copy of the data is free. The ICO updated its right-of-access guidance for the DUAA on 8 December 2025 (version 1.0.87), and that guidance hub is the authoritative operational reference for handling requests under the new rules.
Expect the changes to show up in the numbers over time: a properly logged stop-the-clock pause converts what would have been a technically late response into a compliant one, so the late-response element of SAR complaints may soften even while raw request volumes keep rising.
Frequently asked questions
What is the most common data protection complaint to the ICO?
The right of access. SAR-related complaints were the primary issue in 41.9% of the 34,346 complaint cases the ICO completed in 2024/25 (14,386 cases), and the share reached 43–45% in the quarters published since — around double any other complaint category.
How much does it cost a business to process a subject access request?
The standard UK benchmark is £4,884.53 and 66 working hours per request (Guardum/Sapio Research, 2020). The Data Privacy Group's 2021 research put the typical cost at roughly £1,000 per request and £72,000–£336,000 a year per business, while Gartner's global benchmark is around £1,200 per manually fulfilled request.
How many DSARs do companies receive?
The average UK data protection officer received 27 DSARs a month in the 2020 Guardum study, and large firms received 6–28 a month in The Data Privacy Group's 2021 research. Volumes are rising: 60% of organisations reported year-on-year growth in EY Law's 2023 survey.
Who sends the most DSARs — employees or customers?
Employees, narrowly: 31% of DSARs come from current or former employees against 30% from customers (Guardum, 2020). Employee requests are usually the most labour-intensive, and they often arrive during grievances, disciplinaries or tribunal claims.
What happens if an organisation misses the one-month SAR deadline?
The requester can complain to the organisation and then to the ICO, which can issue reprimands and enforcement notices — as it did against seven organisations at once in September 2022 (including the MoD's 9,000-request backlog) and against United Lincolnshire Teaching Hospitals NHS Trust in December 2024. Courts can also order compliance and award compensation.
How does the Data (Use and Access) Act 2025 change SAR response rules?
Two changes: the response clock can be paused ("stop the clock") while the organisation reasonably waits for clarification or ID from the requester, and searches need only be reasonable and proportionate. The one-calendar-month deadline and the free first copy are unchanged.
Related guides
- ICO complaints statistics UK: volumes, topics and outcomes
- GDPR Fines UK: ICO Fine & Enforcement Statistics
- Data Breach Statistics UK: ICO Reports, Trends & Costs
- Individual rights under GDPR: a complete guide to data subject rights
- What is personal data under GDPR? Definitions and examples
Sources & references
- Information Commissioner's Office — Data protection complaints data sets (quarterly per-case CSVs)
- Information Commissioner's Office — Annual Report and Financial Statements 2024/25
- Information Commissioner's Office — Right of access (SAR) guidance
- Information Commissioner's Office — Enforcement action
- EY Law — Data subject access requests (DSARs) 2023 survey
- Statista — Average cost of a data subject access request in the UK (Guardum/Sapio Research)
- GRC World Forums — What is the true cost of handling DSARs?
- Startups Magazine — DSARs cost individual UK businesses up to £336,000 a year (The Data Privacy Group)
- Cordery Compliance — ICO takes action over subject access request failures
- legislation.gov.uk — Data (Use and Access) Act 2025
- GOV.UK — Data (Use and Access) Act 2025: data protection and privacy changes
Right of access is the ICO's number-one complaint topic — train your team to recognise a subject access request and respond correctly within the one-month deadline.
Explore the GDPR & Data Protection Course →