GDPR Scenario · Pressure Signal: Deferral

The DSAR on Your Desk

Q: When does the clock on a DSAR start?

When the request is received, not when it is logged, reviewed, or convenient. Under GDPR the response is generally due within one month, with limited extensions for complex requests.

Q: My manager told me to wait. Am I covered?

A wait instruction does not stop the legal clock or remove the organization's obligation. The right move is to make the deadline visible and escalate to your DPO or legal team promptly.

A formal data subject access request just landed. Your manager glances at it and says, “Bad timing — sit on it for now, legal hasn’t even looked. We’ve got a month, nobody’s counting exactly.” Do you wait?

Quick Answer

What should you do when a data subject access request arrives at a bad time?

Acknowledge and log it the day it arrives, and flag it to your DPO or legal team immediately. Under GDPR, the response clock — generally one month — starts when the request is received, not when it’s convenient. “We’ll get to it” isn’t a neutral choice: deliberate delay erodes a person’s legal right and creates real exposure for the organization. You can be respectful of a manager’s timing and still not let the clock run out quietly.

The Pressure Signal: Deferral

The deadline feels soft because no one is standing over it. There’s always a more urgent fire, the request is awkward, and a month sounds like plenty. So it slides — not from a decision to ignore it, but from the quiet comfort of “later.” The clock, meanwhile, does not care that you were busy.

The Situation

Bram works in HR operations at Velsenhoff Medical. A former employee has sent a formal request for all the personal data the company holds about them — a data subject access request. It’s detailed, a little pointed, and it’s the week of quarter close.

Bram takes it to his manager, who skims it and waves it off: “Not now. Legal hasn’t reviewed it, the data’s sensitive, and we’re slammed. We’ve got thirty days — nobody’s counting exactly. Put it aside and we’ll deal with it after close.” It sounds reasonable. The manager outranks him. And honestly, dealing with it later would be easier. Bram closes the email.

Three Ways People Respond

1. Sit on it.

The manager said wait, and a month is plenty. Why it fails: the response clock starts on the day the request arrives, not the day someone gets around to it. A “wait” instruction doesn’t pause it, and deliberate delay turns a routine request into a compliance failure with the deadline already burning.

2. Quietly handle it himself.

Pull what he can find and send it without logging or escalating. Why it fails: DSARs need to be logged, the requester verified, the scope assessed, and the DPO or legal involved — freelancing risks an incomplete or over-broad disclosure that creates its own problem.

3. Log it, start the clock, escalate.

Acknowledge the request the same day, record the deadline, and flag it to the DPO — even though the manager wanted to wait. Why it works: see below.

The Right Call

Treat the request as what it is the moment it lands: acknowledge it, log it, note the response deadline, and bring in the DPO or legal team to own the process. None of that conflicts with the manager’s real concern — that legal should review, and the work shouldn’t be rushed. It just keeps the clock visible.

If the manager still wants to defer, Bram has a simple, respectful answer: “The clock started when it arrived — here’s the date we have to respond by. Let’s make sure legal sees it now so we don’t lose the window.” Raising the deadline isn’t insubordination. It’s the one thing that protects everyone.

Why It’s Harder Than It Looks

Everything about the moment argues for waiting. The manager outranks you. “Let legal look first” sounds prudent. A month feels generous. And no alarm goes off when you close the email. Deferral is the most natural thing in the world, which is exactly why missed DSAR deadlines are common and rarely the result of anyone deciding to break the rules. The deadline isn’t missed in one big choice; it’s missed one reasonable “later” at a time.

“I’d never blow a legal deadline.”

No one plans to. Deadlines aren’t blown by people who don’t care — they’re blown by people who had a good reason to wait, and then another, until the date arrived. The protection isn’t intended to be timely. It’s starting the clock out loud on day one.

How to Run This With Your Team

Take 10–15 minutes. Read the situation, then ask the group: “Your manager just told you to wait — what do you actually do?” Let them sit with the discomfort of pushing back up the chain; that tension is the real lesson. Surface how reasonable “later” feels, then make the clock concrete: it starts on arrival.

Close on the habit: the moment a request like this lands, acknowledge it, log the deadline, and escalate the same day. Available as a manager-led Decision Brief™.

Go deeper with GDPR compliance training, browse the full GDPR scenario library, or see the US-side companion in the Data Privacy & CCPA scenarios. (GDPR governs EU personal data; CCPA/CPRA governs California residents’ data — different frameworks, different rights.)

Frequently Asked Questions

When does the clock on a DSAR start?

When the request is received — not when it’s logged, reviewed, or convenient. Under GDPR the response is generally due within one month, with limited extensions for complex requests.

My manager told me to wait. Am I covered?

A “wait” instruction doesn’t stop the legal clock or remove the organization’s obligation. The right move is to make the deadline visible and escalate to your DPO or legal team promptly.

Should I just answer it myself to save time?

No. DSARs need the requester verified, the scope assessed, and the DPO or legal involved. Acknowledge and log it, then route it through the proper process.

Build people who start the clock out loud

Run this scenario with your team as a 15-minute Decision Brief™, or explore the full Xcelus approach.

Explore Decision Briefs →
Contact Xcelus