The Enforcement Notice issued to Bristol City Council (BCC) in August 2025 by the Information Commissioner’s Office (ICO) sets out a sobering example of what happens when Data Subject Access Requests (DSARs) are mismanaged over an extended period. For in-house legal and data governance teams, it offers a clear and practical framework for how the regulator expects organisations to respond when facing a DSAR backlog.
BCC had accumulated almost 200 overdue DSARs, some dating back more than three years. Despite repeated engagement with the ICO since early 2023, the council failed to demonstrate meaningful progress in tackling the backlog. Ultimately, the ICO issued an enforcement notice, identifying breaches relating to timely response, access to personal data, and provision of mandatory information required under Article 15 of the UK GDPR.
The Enforcement Notice provides a useful guide for data governance practitioners as to central issues that any organisation should consider when developing a remediation plan.
First, transparency with data subjects is essential. Communications with requestors should be an ongoing, proactive event. Provision of clear updates is a fundamental part of compliance, especially where delays have already occurred, as an absence of communication can lead to distress and further complaints.
Second, any action plan should set strict deadlines for fulfilling overdue SARs. It is notable that BCC used a priority system, but urgency was often only recognised after external pressure. For example, SARs were escalated only after court involvement, ICO referral, or multiple chasers from the data subject. Even then, some high priority cases remained unresolved for months, undermining the credibility of the prioritisation framework. It is notable that the UK GDPR does not permit selective prioritisation of DSARs. All requests must be handled without undue delay, and remediation must be swift.
Third, reporting must be consistent and auditable. BCC’s compliance statistics were described by the ICO as confusing and contradictory. SARs disappeared from reports only to reappear later, and figures fluctuated without explanation. Legal teams should ensure that internal tracking systems are robust, and that reporting internally (and to regulators where relevant) is clear, consistent, and backed by reliable data. Without proper oversight, internal tracking systems and clear governance structures, progress inevitably falters.
Fourth, external support must be properly managed. BCC engaged an external organisation to help process complex DSARs, but according to the ICO it failed to provide clear instructions until nearly a year into the contract. Quality issues then led to further delays. Organisations considering external support must ensure providers are briefed, monitored, and held to defined standards.
Finally, urgency must be reflected in planning and resourcing. BCC’s own internal action plan lacked detail, timelines, and measurable targets. BCC repeatedly cited budgetary constraints and staffing shortages as barriers to progress. At one point, only one staff member was responsible for handling all children’s social care DSARs from 2013 to 2016. Resourcing is the organisation’s responsibility, and it is clear that while the ICO sympathises with budgetary constraints, a lack of resources is not the regulator’s concern. Legal teams should ensure that DSAR handling is properly staffed, supported by clear processes, and able to meet statutory deadlines.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.