On 27 August 2025, the Information Commissioner’s Office (ICO) issued a formal enforcement notice to Bristol City Council (BCC) for failing to comply with its legal obligations under the UK GDPR to respond to Data Subject Access Requests (DSARs). The case highlights what can happen when DSARs are not progressed in public sector data governance and offers critical lessons for all organisations handling personal data.

What happened?

The ICO’s investigation revealed that BCC had accumulated a backlog of 231 overdue DSARs by June 2025, with some dating back to 2022. Despite repeated engagement from the ICO since 2023, the council had made limited progress in resolving the backlog. The majority of the delayed requests related to sensitive children’s social care data and the delays caused distress to individuals seeking access to their personal information.

BCC had previously engaged an external provider to assist with the backlog, but the arrangement failed to deliver results; only two DSARs were completed between July 2024 and March 2025. Although the ICO noted that the Council had taken steps to try and reduce the number of DSARs, a substantial number of DSARs remained outstanding, and the ICO had received 63 direct complaints about BCC’s DSAR compliance between 2023 and 2025.

ICO’s enforcement actions

The enforcement notice requires BCC to:

• Contact all individuals with overdue DSARs to notify them of delays.
• Resolve the oldest DSARs (from 2022) within 30 days.
• Provide weekly progress updates to the ICO until the backlog is cleared.
• Publish an action plan within 90 days, detailing how the backlog will be addressed.
• Implement systemic changes within 12 months, including adequate staffing, training, and improved DSAR processes.

Key takeaways for organisations

This case offers several important lessons for both public and private sector organisations:

1. DSARs are not optional - Subject access is a fundamental right under UK GDPR. Delays or failures to respond can result in enforcement action, reputational damage, and legal liability.

2. Resourcing matters - BCC’s failure was partly due to under-resourcing. Social Care files are voluminous and sensitive. Organisations must ensure they have sufficient staff, tools, and training to manage all types of DSARs effectively.

3. Backlogs are a red flag - A growing backlog signals systemic issues. Regular audits and performance monitoring can help identify and resolve bottlenecks before they escalate.

4. Third-party support must be managed - BCC’s experience with an external provider shows the importance of clear expectations, quality control, and accountability when outsourcing SAR processing.

5. Proactive compliance is key - Organisations should implement centralised SAR management systems, automate workflows where possible, and conduct regular staff training to stay ahead of compliance obligations. How the records are stored and retained should also be audited.

Final thoughts

This case is a stark reminder that data protection compliance is not just a legal requirement; it’s a matter of public trust and organisational integrity. As regulators continue to scrutinise DSAR handling, organisations must treat information access rights with due seriousness and ensure they comply with the legislation. For further information and support, please contact me.