What Happens If a Company Ignores Your Data Subject Access Request?
Organisations have a legal obligation to respond to Data Subject Access Requests (DSARs) within one month. Failure to do so is a breach of UK GDPR.
Quick Answer
If a company ignores or unreasonably delays your Data Subject Access Request (DSAR), you can complain to the Information Commissioner's Office (ICO). The ICO has the power to issue enforcement notices and fines. You also have the right to bring a claim in the county court for compensation if you have suffered distress or financial loss as a result of the failure.
Full Explanation
Under UK GDPR (the retained version of the EU General Data Protection Regulation, supplemented by the Data Protection Act 2018), every individual has the right to obtain from a data controller: confirmation of whether their personal data is being processed; a copy of that personal data; and supplementary information about the processing (purposes, categories, recipients, retention periods, etc.). This is the Data Subject Access Right, exercised through a DSAR.
The controller must respond to a DSAR within one calendar month of receipt. If the request is complex or there are multiple requests, this can be extended by a further two months, but the controller must notify the requestor of the extension within the first month. There is no fee chargeable for most DSARs; the controller can charge a reasonable fee only for 'manifestly unfounded or excessive' requests.
Failure to respond within the time limits, or providing an incomplete or evasive response, is a breach of UK GDPR. The ICO is the supervisory authority in England and Wales. On receiving a complaint, the ICO can: assess the controller's compliance; issue an information notice requiring information; issue an enforcement notice requiring specific action; and issue a civil monetary penalty (fine) in serious cases.
For individuals, the right to compensation under UK GDPR Article 82 (implemented via Data Protection Act 2018 section 168) allows claims for material damage (financial loss) and non-material damage (distress) caused by a breach of UK GDPR. Cases such as Vidal-Hall v Google [2015] confirmed that distress alone (without financial loss) is sufficient to ground a compensation claim.
Before complaining to the ICO, you should escalate internally — send a follow-up letter to the company's Data Protection Officer (DPO) if they have one. The ICO expects organisations to have had a reasonable opportunity to resolve the issue before it intervenes.
Legal Basis
- §UK GDPR, Articles 15, 77, 82 (subject access right, right to complain, compensation)
- §Data Protection Act 2018, sections 45, 165–167 (subject access, complaints, compensation)
- §Vidal-Hall v Google Inc [2015] EWCA Civ 311 (non-material damage compensation)
What To Do
Follow Up With the Organisation
Send a written follow-up to the organisation's data protection team or DPO, noting that the one-month deadline has passed. Request an immediate response or written explanation of any valid extension. Keep a copy of all correspondence.
Escalate Internally
If there is no response to your follow-up, write to the organisation's senior management or their legal department formally placing them on notice of the breach and your intention to complain to the ICO.
Complain to the ICO
Submit a complaint to the Information Commissioner's Office via their online complaints portal (ico.org.uk). Provide evidence of your original request, the date sent, and the failure or inadequate response. The ICO will investigate and may take enforcement action.
Consider a Court Claim for Compensation
If the failure caused you distress or financial loss, you can bring a claim in the county court under Data Protection Act 2018 section 168 for compensation. This can be issued alongside the ICO complaint.
Use the DSAR Response in Other Proceedings
If you made the DSAR to gather evidence for another claim (e.g., employment tribunal or personal injury), alert the relevant court or tribunal to the failure to respond. Courts can draw adverse inferences from non-disclosure.
Important Deadlines
Important Warnings
The one-month period runs from the day the request is received — if you sent it by email, it is received on the day of sending.
Organisations can refuse to provide some information (e.g., third-party data, legally privileged documents) — check whether any exemptions have been properly applied.
Do not use DSARs frivolously or repeatedly as a harassment tool — the organisation can apply to the ICO for permission to refuse manifestly unfounded requests.