DSAR Breach Compensation: What Happens When Responses Are Late

When a DSAR Response Becomes a Breach

Missing a DSAR deadline is not an abstract compliance risk. It is a breach of data protection law that can result in compensation claims, regulatory enforcement, and litigation. Understanding when a response crosses the line from "delayed" to "breach" — and what the consequences look like — matters for any business that handles personal data.

The Old Rule vs the Current Rule

Before the GDPR came into force on 25 May 2018, the UK Data Protection Act 1998 gave organizations 40 calendar days to respond to a subject access request. Organizations could also charge a fee of up to 10 pounds for processing the request.

Under the current rules — the UK GDPR and the Data Protection Act 2018 — the deadline is one calendar month from receipt of the request. The fee has been abolished for standard requests. The first copy of the data must be provided free of charge.

This is an important distinction for two reasons. First, if you are still operating under the assumption that you have 40 days, you are wrong. The deadline shortened when the GDPR took effect. Second, the removal of the fee means there is no administrative barrier to making a request, which has led to a significant increase in the volume of SARs businesses receive.

The one-month deadline can be extended by up to two additional months for complex or numerous requests, but only if you notify the requester within the first month and explain why the extension is necessary.

When Is a DSAR Response Legally a Breach?

A DSAR response becomes a breach of the UK GDPR when any of the following occur:

No response at all. Complete silence is the clearest breach. If you receive a valid SAR and do nothing, you are in violation of Article 12 and Article 15 of the UK GDPR from the moment the one-month deadline expires.

Response after the deadline without a valid extension. If you respond after the one-month period without having properly notified the requester of an extension within the first month, you are late. The response itself may still be useful to the requester, but the delay is a breach.

Incomplete response. Providing some but not all of the personal data you hold, or omitting the supplementary information required under Article 15 (purposes, recipients, retention periods, rights information), is a breach even if you respond within the deadline. A partial response does not satisfy the legal requirement.

Improper reliance on an exemption. If you withhold data by claiming an exemption that does not actually apply — for example, refusing to disclose data on the grounds that it is "commercially sensitive" when no specific exemption covers that — the withheld data constitutes a breach.

Failure to search adequately. If you only search your main database but the requester's data also exists in email systems, archived records, CCTV footage, or other sources, and you fail to include that data, the response is incomplete.

How Compensation Claims Work

Under Article 82 of the UK GDPR, any person who has suffered material or non-material damage as a result of an infringement of the regulation has the right to receive compensation from the controller or processor responsible.

This means that individuals can claim compensation for:

• Material damage: Quantifiable financial loss caused by the breach — for example, if the failure to provide data in time caused the individual to miss a legal deadline or lose a financial opportunity
• Non-material damage: Distress, anxiety, frustration, and inconvenience caused by the breach — this is the more common basis for DSAR compensation claims

The Legal Route

Individuals can bring compensation claims through the county court (in England and Wales) or the sheriff court (in Scotland). They do not need to go through the ICO first, although many individuals do complain to the ICO as a parallel step.

Claims for non-material damage (distress) arising from DSAR failures have become increasingly common. The courts have recognized that a failure to respond to a SAR can cause genuine distress, particularly where the individual needs the data for an ongoing legal matter, employment dispute, or immigration case.

Tribunal and Court Decisions

Several notable decisions have shaped the compensation landscape for DSAR breaches:

Vidal-Hall v Google [2015]: The Court of Appeal confirmed that individuals can claim compensation for non-material damage (distress) under data protection law without needing to demonstrate financial loss. This decision opened the door for distress-based DSAR compensation claims.

Rolfe v Veale Wasbrough Vizards LLP [2021]: The High Court awarded 250 pounds in compensation for distress caused by a delayed and incomplete SAR response. The court noted that while the distress was not severe, it was real and caused by the defendant's failure to comply with data protection law.

Farooqi cases and the First-tier Tribunal: Multiple tribunal decisions have addressed SAR failures in the context of immigration and asylum. In several cases, the tribunal has ordered disclosure and recognized that delays in providing subject access data to individuals involved in immigration proceedings caused measurable distress.

Lloyd v Google [2021]: The Supreme Court considered the question of whether "loss of control" of personal data is sufficient damage. While this case was primarily about data misuse rather than SAR failures, the principles about when non-material damage arises are relevant to DSAR compensation claims.

Compensation awards in DSAR cases have typically ranged from a few hundred pounds to low thousands for distress, though the amount depends on the specific circumstances, the severity of the distress, and the conduct of the data controller. Cases involving deliberate obstruction or repeated failures tend to attract higher awards.

Withholding Information: When It Is Lawful and When It Is Not

Organizations sometimes withhold data from a SAR response for reasons that sound plausible but are not legally valid. Understanding the distinction matters, because improper withholding strengthens a compensation claim.

Lawful Withholding

You can legitimately withhold specific data from a SAR response in the following circumstances:

• Third-party data: Where the data contains information about other identifiable individuals and it is not reasonable to disclose without their consent. Redact the third-party information and provide the rest.
• Legal professional privilege: Communications between you and your legal advisors for the purpose of legal advice or litigation.
• Crime prevention: Where disclosure would prejudice the prevention or detection of crime or the prosecution of offenders.
• Confidential references given by you: References you provided about the individual for employment, education, or training purposes.
• Management planning: Where disclosure would prejudice management forecasting or planning.

In every case, the exemption applies to specific data, not to the entire request. You must still provide all data that is not covered by an exemption.

Unlawful Withholding

The following are not valid reasons to withhold data:

• "The data is commercially sensitive" — unless a specific exemption applies, commercial sensitivity is not a ground for refusal
• "Disclosure would be embarrassing" — this is not a recognized exemption
• "The requester will use it in litigation against us" — individuals are entitled to their data regardless of how they intend to use it
• "It would take too much time" — that is what extensions are for
• "We have already told them what we hold" — a verbal summary does not satisfy the right of access; they are entitled to a copy of the data
• "A confidentiality agreement prevents disclosure" — contractual arrangements do not override statutory data subject rights

For the full list of exemptions, see our guide on DSAR exemptions.

Steps to Take If You Have Missed a DSAR Deadline

If you realize you are past the deadline, the worst thing you can do is continue to do nothing. Here is a practical recovery plan.

1. Respond as Quickly as Possible

A late response is significantly better than no response. The longer the delay, the stronger any compensation claim becomes and the more likely the individual is to complain to the ICO. Get the response out as soon as you can, even if it is days or weeks overdue.

2. Acknowledge the Delay

Do not pretend the response is on time or ignore the fact that it is late. In your covering letter or email, acknowledge the delay and apologize. This is not just courtesy — it demonstrates good faith, which regulators and courts consider when assessing the severity of a breach.

3. Provide a Complete Response

Do not compound a late response with an incomplete one. If you are going to be late, at least make sure the response itself is thorough, accurate, and includes all the required supplementary information. A late but complete response is far less damaging than a late and incomplete one.

4. Explain What Went Wrong

Briefly explain the reason for the delay. "We experienced an unusually high volume of requests" or "your request required searches across multiple archived systems" is more credible than silence. Do not make excuses — just state the facts.

5. Document Everything

Record the date the request was received, the deadline, the date you responded, the reason for the delay, and what steps you have taken to prevent it from happening again. If the individual complains to the ICO, this documentation is your evidence that the breach was not willful or systematic.

6. Review Your Process

A missed deadline is a signal that your DSAR process needs attention. Common root causes include:

• No one recognized the request as a SAR when it arrived
• The request was not escalated to the right person
• No tracking system or deadline monitoring in place
• Staff turnover or absence without handover
• Manual data searches taking longer than expected

Address the root cause, not just the symptom. One missed deadline is a mistake. Repeated missed deadlines are a systemic failure that regulators take seriously.

ICO Enforcement and Complaints

When an individual complains to the ICO about a DSAR breach, the ICO may:

• Contact you to request information about the request and your response
• Issue an assessment notice to investigate your data protection practices
• Issue an enforcement notice requiring you to take specific steps to comply
• Issue a reprimand — a formal finding that you have breached the law
• Issue a penalty notice — a fine for the breach

For most small business DSAR complaints, the ICO's approach tends to be corrective rather than punitive. They will typically ask you to provide the outstanding response and improve your processes. Fines are more common for repeat offenders, organizations that show willful disregard, or cases involving significant numbers of individuals.

However, the ICO's discretion is broad. Under Article 83 of the UK GDPR, fines for infringements of data subject rights can reach up to 17.5 million pounds or 4% of annual global turnover, whichever is higher. In practice, fines at this level are reserved for the most serious systemic failures, but the legal authority exists.

Prevention Is Cheaper Than Compensation

The cost of handling a DSAR properly — even a complex one — is almost always less than the cost of dealing with a compensation claim, an ICO complaint, or court proceedings. Building a reliable DSAR process with proper tracking, templates, and internal deadlines is the single most effective way to avoid late responses.

For a detailed breakdown of response deadlines across jurisdictions, see our DSAR response deadlines guide. For the full consequences of ignoring a DSAR entirely, see what happens if you ignore a DSAR.

References

• UK GDPR Article 82: Right to compensation. GDPR Article 82
• UK GDPR Article 83: General conditions for imposing administrative fines. GDPR Article 83
• ICO Guidance: Right of access and handling complaints. ICO right of access guidance
• Vidal-Hall v Google [2015] EWCA Civ 311: Court of Appeal judgment on non-material damage. Case summary

Related Guides

• DSAR Response Deadlines — deadlines across all jurisdictions
• What Happens If You Ignore a DSAR — penalties and consequences
• DSAR Exemptions — when you can legitimately withhold data