Key Takeaways
- The Data (Use and Access) Act 2025 (DUAA) added a new Article 12A to the UK GDPR that lets you legally "stop the clock" on a subject access request while you wait for information you reasonably need to identify what the person is asking for. The pause is now statute, not just regulator practice (DUAA s.76, in force 5 February 2026).
- The one-month deadline itself has not moved. You must still respond "without undue delay and at the latest within one month," and the clock starts the day after you receive the request (ICO right-of-access guidance).
- A second change, Article 15(1A), means you only have to hand over what a "reasonable and proportionate search" turns up (DUAA s.78) — and unusually, s.78(5) states this rule is treated as in force since 1 January 2024.
- These are UK-only rules. The EU GDPR has no equivalent statutory stop-the-clock, so a store selling into both markets now runs two different DSAR playbooks.
- Access-rights failures sit in the higher fine tier — up to £17.5 million or 4% of global annual turnover (ICO). "We paused the clock" only holds up if you can show the pause was genuinely needed.
Introduction
It is 16:40 on the Friday before your biggest sale of the year when the email lands: "Please send me everything you hold about me." The one-month clock starts ticking — and until 5 February 2026, a UK store had almost no lawful way to slow it down.
The DUAA changed that. Two new provisions — a statutory "stop the clock" and a "reasonable and proportionate search" standard — reshaped how UK online stores must handle customer subject access requests (DSARs). Most of the guidance published so far is written for HR teams fielding requests from ex-employees. This guide is for the shop owner whose customer data lives in Shopify, Stripe, Klaviyo and Zendesk, and who needs to know exactly what did — and did not — change.
This article is informational content, not legal advice. Data-subject-rights procedures vary by circumstance; confirm specifics with a qualified professional.
What the DUAA Actually Changed About Subject Access Requests
The DUAA made two targeted changes to the UK right of access, both live since 5 February 2026. It added a statutory pause on the response clock while you seek clarification (new Article 12A), and it capped your search obligation at what is "reasonable and proportionate" (new Article 15(1A)). The one-month deadline itself is unchanged.
The Act received Royal Assent on 19 June 2025, and the bulk of its data-protection provisions were switched on by a commencement order (The Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026) on 5 February 2026. The Information Commissioner's Office has said it will apply the law as it stood at the time of any alleged infringement and use discretion where an old rule is being replaced by a similar new one — so treat this as a live regime with case-by-case enforcement, not a grace period to ignore.
The deadline did not get longer
The headline number is the same as before: you have one calendar month to respond, and the ICO's guidance is explicit that the clock starts the day after the request arrives. For genuinely complex or numerous requests you can still take up to two further months — a maximum of roughly three months in total — but that extension existed in the original UK GDPR Article 12(3) and is not a DUAA invention. If you have been telling customers "we have a month," you still do.
"Stop the Clock": How the New Article 12A Pause Works
Under new Article 12A(5), if you reasonably need more information to identify what a request covers — for example because you hold a large volume of data on that person — the days between asking for clarification and receiving a reply "do not count towards" the one-month period. In plain terms: the clock pauses when you ask, and resumes when they answer.
The mechanism is built on a defined starting point. Article 12A(2) sets "the relevant time" as the latest of three moments: the day you receive the request, the day you receive any identity confirmation you asked for under Article 12(6), or the day any permitted fee is paid. The one-month period runs from that relevant time. Before the DUAA, this pause lived only in ICO guidance; the Act writes it into the UK GDPR itself, which matters because statute is far harder for a disgruntled requester to argue away than a regulator's webpage.
There are firm limits on when you can press pause. The ICO's right-of-access guidance is clear that the pause applies only when you are seeking clarification about what information the person actually wants (or verifying who they are) — not for unrelated matters such as which file format they would prefer. You also cannot pause silently: you must tell the requester that the clock is stopped from the date you ask, and that it restarts the day after they reply. In the ICO's own worked example, a reply received on 18 May restarts the clock on 19 May.
Here is the practical model to keep on a sticky note:
| Event | Effect on the one-month clock |
|---|---|
| Request received (identity clear, no fee) | Clock starts the next day |
| You reasonably need ID verification (Art 12(6)) | Clock does not start until ID arrives |
| You reasonably need clarification of scope (Art 12A(5)) | Clock pauses from the day you ask |
| Requester replies to clarification | Clock resumes the following day |
| Request is complex or numerous | Up to two further months (pre-existing Art 12(3)) |
Our recommendation: treat clarification as a genuine scoping tool, not a delay button. The pause only bites when you reasonably require the information, and the ICO expects you to justify each use — so a blanket "we always ask for clarification" policy is the fastest way to lose the benefit of the pause and invite a complaint. Ask a specific question, log why you needed it, and send it the same day the request arrives rather than on day 29.
"Reasonable and Proportionate": The New Search Standard
New Article 15(1A) says a data subject is entitled only to the confirmation, personal data and information you can provide "based on a reasonable and proportionate search." You must make reasonable efforts to find someone's data, but you are not obliged to run searches that would be disproportionate to the value of the information — provided you can show why. This is the single most useful change for a small ops team drowning in disconnected tools.
There is a quirk worth flagging: while the stop-the-clock rule took effect on 5 February 2026, the search standard is different. Section 78(5) of the DUAA states that its amendments "are to be treated as having come into force on 1 January 2024" — a retrospective effect that reaches back before the Act was even passed. In practice that means the reasonable-and-proportionate test already governs how a court or the ICO would judge searches you ran across that earlier period.
What does "reasonable and proportionate" mean when your data is scattered? Consider the realistic eCommerce reality — and this is a composite illustration, not a real case. Say you run a mid-size direct-to-consumer skincare brand. A DSAR arrives, and the customer's data sits in Shopify (orders), Stripe (payments), Klaviyo (email engagement), Zendesk (support tickets) and a fraud-scoring app. A reasonable and proportionate search covers the systems where you know their data lives and can retrieve it with ordinary effort. It does not necessarily mean forensically reconstructing a deleted webhook log from three years ago — but the burden is on you to document why a particular search was disproportionate, not simply to assert it. The ICO guidance is blunt on this: you must be able to show your reasoning if challenged.
How to Handle a Customer DSAR Under the DUAA, Step by Step
- Log it and timestamp it. Record the request and the date received; the clock starts the next day. A DSAR does not need to say "DSAR" or cite a legal article to count — "send me my data" is enough.
- Verify identity if you reasonably need to. Use Article 12(6). If you genuinely require ID, the one-month period does not start until it arrives — but do not demand ID reflexively from a customer you can already recognise.
- Decide whether you truly need clarification. If the request is clear, answer it. If it is genuinely too broad to action, ask a specific scoping question, tell the requester the clock is paused, and send it immediately.
- Run a reasonable and proportionate search. Work through your connected systems — storefront, payments, email platform, helpdesk, ad pixels, fraud tools — and note the scope decisions you make and why.
- Redact third-party and exempt data. An order record can contain a courier's details or another customer's information; remove what the requester is not entitled to before you disclose.
- Respond within one month of the relevant time. Extend only where the request is genuinely complex or numerous, and tell the requester if you do.
- Keep the paper trail. Record the search you ran, any pause, and the reasoning — that record is your defence if the ICO ever asks.
Common Mistakes to Avoid
The worst mistake, by a distance, is using "clarification" to stall a request that was already clear. The pause exists for genuine scoping problems; deploy it on an obvious request and you have not paused the clock, you have simply missed the deadline while creating evidence of bad faith. Rank the rest below it:
- Treating the pause as automatic. It is not. If you do not tell the requester the clock has stopped, you cannot rely on it.
- Reading "reasonable and proportionate" as "skip the hard systems." You still have to search where you know the data is. The standard lets you decline disproportionate effort, but only if you can document the judgement.
- Applying UK rules to EU customers. The stop-the-clock is a UK-only invention (see below). Pause an EU customer's DSAR on that basis and you are relying on a provision that does not exist in the EU GDPR.
- Assuming the deadline changed. It did not. One month, starting the day after receipt.
UK vs EU: You Now Run Two DSAR Playbooks
For any store selling into both the UK and the EU, the DUAA created a genuine divergence: the EU GDPR has no statutory stop-the-clock provision. EU practice allows only narrow, short pauses — for example where identity is genuinely in doubt — and if a data subject will not narrow an overly broad request, the expected EU approach is to proceed with the fullest reasonable search inside the original deadline rather than pausing indefinitely.
| Feature | UK (post-DUAA) | EU GDPR |
|---|---|---|
| Statutory clock pause for clarification | Yes — Article 12A(5) | No equivalent in statute |
| Codified "reasonable and proportionate search" | Yes — Article 15(1A) | Not codified as such |
| Base deadline | One month | One month |
| Complex-request extension | Up to two further months | Up to two further months |
The practical read: keep one DSAR procedure for UK customers that uses the pause deliberately, and a separate, tighter one for EU customers that assumes you cannot stop the clock. A single global "we'll pause if we're busy" policy is a compliance gap waiting to be found.
How PrivacyForge Helps
The DUAA changes reward stores that can prove exactly what they did and when. PrivacyForge's DSAR workflow is built around that evidence trail: it timestamps each request, tracks the statutory clock (including a lawful pause and resume with the reason recorded), and gives you a search checklist across your connected systems so a "reasonable and proportionate search" is something you can demonstrate rather than assert. Every scope decision, clarification and disclosure lands in an audit log — the record that turns "we complied" into "here is the proof." It replaces the spreadsheet-and-hope approach that most small teams inherit, without pretending the underlying legal judgement can be automated away.
Frequently Asked Questions
Does the DUAA change the one-month DSAR deadline?
No. The one-month deadline is unchanged. You must respond to a subject access request "without undue delay and at the latest within one month," and the clock starts the day after you receive the request. What the DUAA changed is when that clock can be paused, not how long it runs.
What does "stop the clock" mean for a subject access request?
"Stop the clock" refers to new UK GDPR Article 12A(5), which lets you pause the one-month response period while you wait for clarification you reasonably need to identify what a request covers. The days between asking and receiving a reply do not count toward the deadline. You must tell the requester the clock is paused.
Can I refuse a DSAR if the search would take too long?
Not outright, but new Article 15(1A) limits you to a "reasonable and proportionate search." You must make reasonable efforts to find the person's data, but you are not required to run searches that are disproportionate to the value of the information — provided you can document why a particular search was unreasonable if the ICO or requester challenges it.
When did the DUAA subject access request changes come into force?
The stop-the-clock rule (Article 12A) came into force on 5 February 2026, alongside most DUAA data-protection provisions. The "reasonable and proportionate search" standard (Article 15(1A)) is unusual: DUAA section 78(5) states it is treated as having come into force on 1 January 2024.
How is a UK DSAR different from an EU GDPR DSAR now?
The UK now has a statutory "stop the clock" pause and a codified "reasonable and proportionate search" standard; the EU GDPR has neither. A store serving both markets should run two DSAR procedures — one that uses the UK pause deliberately, and a tighter EU one that assumes the clock cannot be stopped.
Conclusion
The DUAA did not hand UK stores a longer DSAR deadline; it handed them a pause button with strict rules and a search standard that rewards good record-keeping. Used well, both changes make the Friday-afternoon DSAR far more manageable. Used as a stalling tactic, they become evidence against you. Build one UK procedure that pauses the clock deliberately and documents every search, keep a separate EU one that assumes no pause exists, and you turn a statutory change into an operational advantage.
Want to see what a defensible DSAR trail looks like end to end? [Explore how PrivacyForge automates data subject requests](/resources/blog/data-subject-access-requests-automation), then check your wider obligations against our [eCommerce GDPR compliance checklist](/resources/blog/gdpr-compliance-for-ecommerce-practical-checklist).
Sources
- [Data (Use and Access) Act 2025, Section 76 (Time limits for responding to data subjects' requests)](https://www.legislation.gov.uk/ukpga/2025/18/section/76)
- [Data (Use and Access) Act 2025, Section 78 (Searches in response to data subjects' requests)](https://www.legislation.gov.uk/ukpga/2025/18/section/78)
- [The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026](https://www.legislation.gov.uk/uksi/2026/82/regulation/2/made)
- [ICO — Statement on the commencement of the Data (Use and Access) Act (DUAA)](https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/statement-on-the-commencement-of-the-data-use-and-access-act-duaa/)
- [ICO — What should we consider when responding to a request? (Right of access)](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-should-we-consider-when-responding-to-a-request/)
- [ICO — How do we find and retrieve the relevant information? (Right of access)](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/how-do-we-find-and-retrieve-the-relevant-information/)
- [ICO — Penalties (fine tiers under the UK GDPR / DPA 2018)](https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/penalties/)
- [Kennedys — The UK DUA Act's reform pillars: divergence from the EU GDPR (DSARs)](https://www.kennedyslaw.com/en/thought-leadership/article/2025/the-uk-dua-act-s-reform-pillars-divergence-from-the-eu-gdpr-data-subject-access-requests-dsars/)