The ICO have released updated information on time limits when responding to subject access requests from data subjects.
When you receive a request for data from a customer or employee, you have 1 month in most circumstances to get the data to them, but sometimes it's hard to work out exactly what 1 month means.
So, I advise you to read the ICO blog post and take notice of the examples they give and apply that to your GDPR policies and procedures.
And ensure your staff are kept up to date with these changes to ensure anyone who gets a subject access request knows how to handle it and in the right way.
Read more on the ICO website: GDPR Time Limits