Frequently asked questions
How long do I have to answer a subject access request (DSAR)?
You must respond without undue delay and within one calendar month of receiving the request. The clock starts the day the request arrives, even if it reaches the wrong person first. You can extend by up to two further months if the request is complex or numerous, but you must tell the requester within the first month and explain why. (UK GDPR Article 12(3); ICO Right of Access.)
What changed for DSARs under the Data (Use and Access) Act 2025?
The DUAA 2025 confirms in law that you only need to carry out a 'reasonable and proportionate' search when responding to a DSAR, and it puts on a statutory footing the ability to 'stop the clock' where you need the requester to clarify a broad request. Separately, from 19 June 2026 organisations must have a compliant complaints-handling process, because individuals must raise a data protection complaint with you before escalating to the ICO.
When is a Data Protection Impact Assessment (DPIA) required?
A DPIA is required before any processing likely to result in a high risk to individuals. The ICO's rule of thumb, drawn from the Article 29 Working Party guidance (WP248), is that if two or more of nine risk factors apply, you should carry out a DPIA. Some processing always requires one under UK GDPR Article 35(3), such as large-scale use of special-category data or systematic monitoring of a public area. This tool screens you against those factors.
Do I legally have to appoint a Data Protection Officer?
Under UK GDPR Article 37 you must appoint a DPO if you are a public authority or body, if your core activities involve large-scale regular and systematic monitoring of individuals, or if your core activities involve large-scale processing of special-category or criminal-offence data. If none of those apply the ICO still expects a clearly accountable person for data protection. This check gives you a straight verdict on which applies to you.
Who should complete this check?
Managing directors, COOs, finance directors, general counsel, heads of operations and IT leads at mid-market and PE-backed organisations. It needs no legal training. It asks what your organisation could evidence today, not how your systems are configured.
How is it scored?
The DSAR module rates you against the six stages of the ICO right-of-access lifecycle, on four levels from Emerging to Optimised, with each stage constrained by its weakest point, the way an assurance reviewer reads it. You also declare whether each answer rests on documents, knowledge or belief, and the tool grades how defensible your profile is. The DPIA and DPO modules are not scored: they apply the legal tests and give you a verdict.
What do I get, and is anything gated?
Your DSAR readiness band, your DPIA verdict, your DPO verdict, your top gaps as a prioritised action plan with the ICO reference for each, and a benchmark against UK businesses your size, all free and on screen. The only thing behind an email is a formatted, board-ready PDF of the same results.
Is this legal advice?
No. It is a readiness indicator based on ICO guidance and UK GDPR as amended by the DUAA 2025. It does not replace advice on your specific circumstances from a qualified data protection practitioner or lawyer.