The ICO’s new approach to DSAR enforcement: naming and shaming

On 28 September, the ICO announced it had issued reprimands to seven organisations for repeatedly failing to respond to data subject access requests (DSARs) under the UK GDPR. These include six organisations from the public sector including the Ministry of Defence and the Home Office, and one private sector organisation.

According to the published excerpts from the data subject complaints, the DSARs involve, among other things, requests in relation to adoption and care records and asylum applications and requests following password reset emails being sent to the wrong address. The organisations either failed to respond within the statutory timeframe of one month or did not respond at all, leading to a backlog of DSARs. The ICO has given the organisations between three and six months to make improvements and report back to the ICO on those improvements.

The ICO is authorised to issue reprimands to a controller or a processor for breaches of the UK GDPR but these do not have to be, and often aren’t, made public. However, the ICO’s Communicating Regulatory and Enforcement Activity Policy states that the ICO will publish reprimands issued if “it will help promote good practice or deter non-compliance.” Information Commissioner John Edwards told the BBC that “naming and shaming organisations that fail to comply is a new proactive way for the ICO to work,” and “it’s going to become more common.”

Public authorities were already aware of the risk of public reprimands following John Edwards’ open letter to public authorities (where he committed to use discretion to reduce the impact of fines on the public sector at least until June 2024 and instead engage with the public sector and issue public reprimands where necessary). However, this is a marked change in approach from the ICO on DSAR enforcement action against businesses.

On the same day it issued the reprimands, the Head of Data Protection Complaints at the ICO also published a blogpost on DSARs stating that the ICO has written to “thousands of organisations asking that they do more to resolve complaints involving access rights.” This and the reprimands are in line with the ICO’s three-year strategic plan, ICO25, where the ICO affirmed that its priority is to “empower people through a better understanding of how their information is used and accessed.” DSARs are the gateway for individuals to understand how their personal data is being used and to check organisations’ compliance.

At its core, any “naming and shaming” enforcement strategy relies on external pressures to drive internal improvements in compliance. The ICO’s stance on DSARs is no exception. The latest reprimands are a timely reminder to organisations, public and private alike, that failures to comply can be publicised and may therefore have an impact on reputation and customer trust, especially for consumer-facing businesses.  

Given the extension of the ICO’s approach to the private sector (albeit that it may require a fairly high number of affected individuals and/or complaints), organisations should consider whether their strategy, processes and resourcing of DSARs require revisiting.

Having said that, the silver lining is that the ICO does not appear to be taking the approach of directly imposing hefty fines for non-compliance with DSARs. This continues to be a reasonably business-friendly, pragmatic approach, especially compared to the practice of the ICO’s counterparts in the EU, some of which have, to date, imposed numerous fines, in addition to issuing reprimands, on private and public organisations for systemic infringements of the GDPR rules on DSARs.