On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).
This incident is a striking reminder that failure to comply with this legal obligation is not just poor practice—it can be a criminal offence.
The case highlights the serious consequences of non-compliance and reinforces the importance of robust data protection procedures in the workplace, both in terms of recognising a DSAR and how to appropriately respond to one.
The Facts
Mr Blake the director of a care home, who received a DSAR from an individual seeking access to personal data held by the care home about her father. Mr Blake refused to respond to the request and a complaint was made to the ICO. The ICO investigated and found that the director had failed to comply with their legal obligations, and throughout the investigation Mr Blake did not provide any explanation for why his organisation would not respond.
The director was prosecuted under section 173 of the Data Protection Act 2018, which provides that it is a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. This marks a rare but significant enforcement action, demonstrating that the ICO is prepared to pursue individuals who flout data protection laws.
Lessons for Employers
Employers, as data controllers, have obligations to respond to DSAR’s whether from their employees or members of the public. A DSAR must be responded to within one month of receipt, unless an extension to three months is justified.
This case highlights the importance of responding properly as it can attract not only fines for the business, but also personal liability and a potential criminal charge.
The lesson here, is that employers need to have clear policies and training around data rights, what to do when a DSAR is received, and how best to respond to this to protect the business and yourself from liability.
This case highlights the importance of responding properly as it can attract not only fines for the business, but also personal liability and a potential criminal charge.
How Employers Can Stay Compliant
Employers should ensure they have:
- A clear DSAR policy
The policy should outlines how requests are received, verified and processed.
- Staff training
A request does not need to state that the individual is making a DSAR under UK GDPR to be covered by this protection, and so it is vital to train staff on how to recognise and escalate DSARs appropriately, as well as on data retention policies.
- A designated data protection officer
Businesses should have a designated individual who is responsible for overseeing compliance with GDPR law.
- Systems in place
As the timeline for responding to a DSAR is relatively brief, employers need to ensure that they have systems to locate and retrieve personal data efficiently.
- Legal support
If you feel uncertain about a request, or do not have the facilities to deal with the volume of data, we recommend getting legal assistance. Our data protection team is on hand to assess complex requests and deal with the assessment and redaction of privileged or third-party information where necessary.
This case should serve as a reminder to all employers that data protection is not optional. With increasing scrutiny from regulators and growing awareness among individuals of their rights, organisations must treat DSARs with the seriousness they deserve.
Now is the time to review internal processes, train staff and ensure that your organisation is prepared to respond lawfully and efficiently to any request for personal information, and our team is on hand to assist.
Please reach out for a bespoke audit of your data protection compliance, or support responding to a DSAR.
