What Happens If You Ignore a DSAR? Penalties and Consequences

Ignoring a DSAR Is One of the Worst Compliance Mistakes You Can Make

Let us be direct: if you receive a DSAR and do nothing, you are choosing one of the most expensive possible outcomes in data protection. Not because the fine for a single ignored request will bankrupt you (though it might hurt), but because of the cascade of problems that follow.

Ignoring a DSAR is not like ignoring a parking ticket. It is a signal to regulators that your organization either does not understand its legal obligations or does not care about them. Neither interpretation works in your favor.

This guide covers exactly what happens when a DSAR goes unanswered — the regulatory consequences, the litigation risks, the financial penalties, and the reputational damage — with real examples. The goal is not to scare you. It is to make the case that responding (even imperfectly) is always better than silence.

The Regulatory Consequences

GDPR Fines (EU)

Under the GDPR (GDPR Article 83(5)), failure to respond to a DSAR can result in administrative fines of up to:

• Up to 20 million euros, or
• Up to 4% of annual global turnover, whichever is higher

These are the maximum penalties, and they are reserved for the most serious and systemic violations. A single missed DSAR from a small business is unlikely to attract a 20-million-euro fine. But the fines are not trivial at any level.

The GDPR's tiered penalty structure means that violations of data subject rights (including the right of access) fall under the higher tier of penalties. This is deliberate — the regulators consider the rights of individuals to be the core of the regulation.

What Regulators Actually Look At

When deciding on a fine, supervisory authorities consider:

• The nature, gravity, and duration of the infringement — how serious was the failure, and how long did it go on?
• Whether it was intentional or negligent — did you deliberately ignore the request, or did it fall through the cracks?
• What you did to mitigate the damage — did you eventually respond, apologize, and fix your processes?
• Your degree of cooperation with the regulator — did you engage with the investigation or stonewall?
• Previous infringements — is this a first-time issue or a pattern?
• The categories of personal data affected — was it basic contact information or sensitive data?

A small business that genuinely did not know about its DSAR obligations, cooperated with the regulator, and quickly fixed the problem will be treated very differently from a business that was warned, continued to ignore requests, and showed no willingness to comply.

UK ICO Enforcement

The UK Information Commissioner's Office (ICO) has the power to:

• Issue enforcement notices requiring you to take specific actions (such as responding to the DSAR)
• Issue penalty notices with fines up to 17.5 million pounds or 4% of annual worldwide turnover (UK GDPR Article 83)
• Conduct audits of your data protection practices
• Prosecute for certain criminal offenses under the Data Protection Act 2018

The ICO's approach tends to be pragmatic. For small businesses, the first step is usually guidance and an enforcement notice rather than an immediate fine. But if you have been warned and continue to ignore DSARs, the penalties escalate.

ICO Complaints: How They Work in Practice

When someone complains to the ICO about an unanswered DSAR, the typical process is:

1. The ICO contacts you — they write to you explaining the complaint and asking for your response
2. You have an opportunity to resolve it — if you respond to the DSAR at this stage, the ICO may close the complaint
3. If you still do not respond — the ICO can issue an enforcement notice, compel you to respond, and consider financial penalties
4. If you ignore the enforcement notice — this escalates significantly, and failure to comply with an enforcement notice is a criminal offense

The message is clear: there are multiple off-ramps before you reach a fine. But every one of them requires you to actually respond.

CCPA Penalties (California)

Under the CCPA, the consequences for failing to respond to a consumer request include (Cal. Civ. Code § 1798.155):

• Civil penalties of up to $2,500 per unintentional violation
• Civil penalties of up to $7,500 per intentional violation
• Private right of action for data breaches involving unencrypted personal information (Cal. Civ. Code § 1798.150)

"Per violation" means per request, per affected consumer. If you have a pattern of ignoring DSARs and it comes to the attention of the California Attorney General (or, under the CPRA, the California Privacy Protection Agency), the numbers add up quickly.

For a business that ignored 50 DSARs from California consumers, the maximum exposure is $375,000 (at the intentional violation rate). That is a significant sum for any small business.

Other US State Laws

Most US state privacy laws (Virginia, Colorado, Connecticut, Texas, etc.) include enforcement mechanisms for failure to respond to consumer requests. Penalties vary but generally range from $2,500 to $7,500 per violation, enforced by the state Attorney General.

PIPEDA (Canada)

Under PIPEDA, the Privacy Commissioner of Canada can:

• Investigate complaints about failures to respond to access requests
• Make recommendations for corrective action
• Publish findings that name your business
• Refer matters to the Federal Court, which can award damages

PIPEDA's enforcement has historically been less aggressive than GDPR's, but the reputational impact of a published finding can be significant, particularly for businesses that operate in trust-sensitive industries.

Real Examples of DSAR Enforcement

Theory is useful, but real cases are more instructive. Here are examples of what has actually happened to businesses that failed to handle DSARs properly.

Example: Clearview AI (Multiple Jurisdictions)

Clearview AI, a facial recognition company, was fined by multiple regulators in part for failing to adequately respond to data subject access requests. The Italian DPA imposed a 20-million-euro fine, and the French CNIL imposed a similar penalty. While the fines covered multiple violations (not just DSARs), the failure to comply with access requests was a significant factor.

Example: ICO Enforcement Notices

The ICO regularly issues enforcement notices to organizations that fail to respond to SARs. While many of these involve public sector bodies (particularly police forces and local councils), private businesses are not immune. The ICO's published decision notices include cases where businesses were required to respond to overdue SARs and implement processes to prevent future failures.

Example: Employment Tribunal Cases

In the UK, employees who do not receive responses to DSARs frequently raise this as part of employment tribunal claims. While the tribunal itself does not enforce data protection law, the failure to respond is used as evidence of poor practice and bad faith. Courts have awarded compensation for distress caused by failures to respond to SARs.

Example: Small Business Complaints

The ICO receives thousands of complaints annually from individuals whose SARs have not been answered. Many of these involve small businesses. While the ICO does not publish details of every complaint, the pattern is consistent: businesses that ignore SARs are required to respond, and repeat offenders face escalating consequences.

The Litigation Risk

Beyond regulatory enforcement, ignoring a DSAR creates litigation risk.

Private Right of Action Under GDPR

Under GDPR Article 79 (GDPR Article 79), data subjects have the right to bring legal proceedings against a controller or processor for violations of their rights. This means an individual whose DSAR was ignored can:

• Sue you directly in court
• Claim compensation for material and non-material damage (including distress)
• Recover legal costs

Employment Claims

Employee DSARs that go unanswered frequently become part of employment tribunal claims. An employee who is already in a dispute with their employer will use the DSAR failure as evidence of:

• A culture of non-compliance
• Bad faith in the employment relationship
• An attempt to conceal relevant information

This can materially affect the outcome of the employment claim, even if the DSAR failure itself is not the primary issue.

Class Actions and Group Claims

In some jurisdictions, DSAR failures can form the basis of class actions or group claims. This is more common in the US under CCPA, where plaintiff attorneys are actively pursuing companies that systematically fail to respond to consumer requests.

The Reputational Damage

Financial penalties get the headlines, but reputational damage can be more costly in the long run, particularly for small businesses that depend on trust.

Public Enforcement Decisions

When a regulator publishes an enforcement decision against your business, it is public, searchable, and permanent. Prospective customers who Google your business name will find it. Prospective employees will find it. Business partners will find it.

Social Media and Review Sites

People who submit DSARs and do not get a response talk about it. They post on social media. They leave reviews. They tell their friends. For a B2C business, this kind of word-of-mouth can be devastating.

Industry and Professional Consequences

Depending on your industry, data protection failures can have professional consequences. Regulated businesses (financial services, healthcare, education) may face additional scrutiny from their sector regulators. Businesses that hold industry certifications may find those certifications at risk.

The Hidden Cost: Losing Control of the Narrative

Here is something that does not appear in any penalty guidance but matters enormously in practice: when you ignore a DSAR, you lose control of the situation.

If you respond — even if your response is imperfect, even if you are a few days late — you are demonstrating good faith. You are showing that you take your obligations seriously and that you are trying to comply. This matters when a regulator is deciding what to do, when a court is assessing compensation, and when a customer is deciding whether to escalate.

If you go silent, the requester fills the silence with the worst possible interpretation. They assume you are hiding something. They assume you do not care. They assume the worst. And they act accordingly — they complain to the regulator, they hire a lawyer, they post online.

Responding, even imperfectly, keeps you in the conversation. Silence hands all the power to the other side.

What to Do If You Have Already Missed a Deadline

If you are reading this because you have already ignored or missed a DSAR, here is what to do now.

Step 1: Respond Immediately

Even if you are weeks or months late, respond now. A late response is better than no response. In your response, acknowledge the delay and apologize.

Step 2: Be Thorough

Do not rush a sloppy response just to close the file. A late but thorough response is much better than a late and incomplete response. The requester (and any regulator they have complained to) will be looking closely at what you provide.

Step 3: Fix Your Process

If you missed a DSAR because you did not have a process, build one now. If you missed it because your process failed, fix it. Regulators care about what you do after a failure almost as much as the failure itself.

Step 4: Document the Remediation

Record what went wrong, why, and what you have done to prevent it happening again. This documentation is your defense if the requester complains to a regulator.

Step 5: Consider Proactive Disclosure to the Regulator

If the failure is serious (multiple ignored DSARs, sensitive data, high risk to individuals), consider whether to proactively disclose the issue to the relevant regulator. This is a judgment call that may benefit from legal advice, but proactive disclosure generally works in your favor.

The Cost-Benefit Calculation Is Clear

Let us put this in simple terms:

Cost of responding to a DSAR: A few hours of work, some process overhead, potentially a small amount of legal fees for complex cases.

Cost of ignoring a DSAR: Regulatory investigation, potential fines of thousands to millions, litigation costs, compensation payments, reputational damage, loss of customer trust, and the management time consumed by dealing with the fallout.

There is no scenario where ignoring a DSAR is the rational choice. Even the most complex, annoying, strategically-timed DSAR is cheaper to respond to than to ignore.

The Deadline Is Not the End of the World

Missing a DSAR deadline is not ideal, but it is recoverable. Ignoring a DSAR entirely is a different matter — it is a conscious decision to not comply with the law, and it is treated that way by regulators and courts.

If you are worried about meeting your deadlines, see our guide on DSAR response deadlines for practical strategies. If you need help with the response itself, see our step-by-step response guide.

The best protection against DSAR problems is a simple, documented process that your team knows how to follow. It does not need to be perfect. It needs to exist.

References

• General Data Protection Regulation (GDPR): Article 83 — administrative fines up to EUR 20 million or 4% of annual global turnover. GDPR full text | Article 79 — right to an effective judicial remedy. GDPR Article 83
• California Consumer Privacy Act (CCPA): Cal. Civ. Code § 1798.155 — enforcement and civil penalties. Cal. Civ. Code § 1798.150 — private right of action for data breaches. Full text on the California Legislative Information site
• California Privacy Protection Agency (CPPA): Official CPPA website
• UK Information Commissioner's Office (ICO): Enforcement actions and guidance. ICO enforcement actions

Protect Your Business

Our DSAR Compliance Guide gives you everything you need to handle DSARs properly — process checklists, deadline trackers, response templates, and plain-English guidance on your obligations. Set it up once, and you will never have to worry about the consequences of an ignored request.

Download the DSAR Compliance Guide