3 Oct 2025 | Blog, GDPR

Data Subject Access Requests – are you being responsive?

Howard Freeman

Howard Freeman

Paperwork, files and folders on a desk in an office.

If you are not keeping up with your DSARs, you are not alone.

Last week, the Information Commissioner’s Office issued an enforcement notice to Bristol City Council for failing to respond to hundreds of Data Subject Access Requests (DSARs). Some of these DSARs dated back over three years.

This wasn’t just a slap on the wrist; this was a formal demand by the ICO to:

  • Inform affected individuals.
  • Respond to overdue DSARs in a timely manner.
  • Submit weekly progress reports.
  • Create a robust action plan.
  • Fix broken underlying systems.

The Wider Messages are clear

  1. Generally, data subjects’ rights aren’t an optional extra
  2. Specifically, DSARs are a legal obligation under the GDPR.

It’s also clear that ignoring such requests erodes trust and risks serious reputational and regulatory consequences.

As an information governance or data protection professional responsible for DSARs, you must:

  1. Audit any DSAR backlog. Make sure that you “own” any delays and implement a robust remedial action plan.
  2. Map data flows to understand where data is, so you can respond effectively.
  3. Train team members who touch DSARs in any way, whether in legal, IT, HR, customer service or elsewhere.
  4. Automate where possible, creating effective templates, workflows and dashboards to streamline processes.
  5. Respond with empathy and clarity. Every DSAR is a data subject asking, “What do you know about me?” and deserves being treated with seriousness and respect.

Bristol City Council’s case is a warning to all data controllers: ask yourself whether you’d be ready if the ICO came knocking tomorrow?

If you need help with your DSAR processes and procedures, we can help. Perhaps you might consider outsourcing the role to us and lose the stress and the risk of falling foul of the ICO.

Contact us today.

0 Comments

Can we help?