Data Subject Access Requests and complaints by data subjects

The number of Data Subject Access Requests is growing and they are now increasingly followed by a complaint that the response to the DSAR was insufficient. This is being fuelled by AI that can quickly (if not always accurately) identify issues with a DSAR response and then write a persuasively worded email with minimal effort. Alongside this, the new Data (Use and Access) Act 2025 has introduced obligations on data controllers to have effective complaint handling procedures.

This article sets out the new requirements for complaint handling and then looks specifically at how to handle DSAR complaints.

DUA Act 2025 – complaints by data subjects

As a matter of good practice, most data controllers constructively engage with complaints from data subjects. Complaints can be a useful early warning sign that personal data is not being processed correctly or that an organisation may have not sufficiently protected a data subject's rights, such as access to their personal data or to be forgotten. Not handling a complaint well could lead to the data subject bringing a private claim through the Courts or escalating their complaint to the ICO, with further regulatory investigations following.

There was not an express legal obligation on data controllers to engage with a data subject complaint under the UK GDPR or Data Protection Act 2018, though it is arguably implicit in the overarching principle to process data fairly and transparently and / or the duty to be accountable. It was certainly the expectation of the ICO that data controllers should properly engage with and investigate any complaint.

The DUA Act 2025 [1] creates an explicit statutory framework for individuals to make a complaint to a data controller if they consider that there is an infringement of their data protection rights by the data controller. The regime covers an alleged infringement of any part of UK GDPR or Part 3 of DPA 2018 (the latter being the regime for the processing of personal data by law enforcement). It does not explicitly extend to alleged infringements of the PEC Regulations that are commonly cited in complaints about the use of cookies, online tracking and spam emails, but given that these activities will very likely involve the use of personal data, there may be little choice in practice but to handle these complaints in line with the new statutory rules.

The new regime does not create a statutory basis for making complaints to a data processor. Where a data processor receives a complaint, it will first need to determine whether the complaint is directed against the data controller, such that the processor has received it on the controller's behalf. In that scenario, the complaint should be passed to the controller and the statutory regime will apply. Where a complaint is directed to a processor, the new statutory rules will not apply to it – although it would be best practice for the rules to be followed anyway. 

Data controllers are now required to:

• Facilitate complaints by data subjects (such as by taking steps to provide a complaint form which can be completed electronically)
• Acknowledge receipt of any complaint within 30 days
• Take appropriate steps to respond to the complaint without undue delay, including making appropriate enquiries into the subject matter of the complaint
• Keep the data subject informed on the progress of the complaint, and
• Communicate the outcome to the data subject without undue delay (a specific deadline for the final resolution of the complaint is not prescribed).

Additional regulations may also be implemented in due course to require a data controller to confirm to the ICO the number of complaints it receives during a specific period.

A failure to provide an effective and timely response to a complaint is subject to the ICO's full range of enforcement powers including penalties. A data subject can also apply to the Court for an order compelling the Data Controller to handle the complaint in line with the above requirements and / or for compensation if the complaint is handled improperly. These remedies are in addition to any enforcement action, penalty or Court remedy that might be imposed for the underlying infringement of the UK GDPR. 

It is currently unknown how the ICO intends to enforce these new provisions as they have not yet released updated guidance on complaint handling. Logically, this might follow the same pattern for how the ICO addresses issues with DSARs. Generally the ICO does not use its enforcement powers in relation to individual DSARs but prefers to provide guidance to data controllers and data subjects on what needs to be done; it tends to leave the legal enforcement of an individual data subject's rights to the Courts. However, it does exercise its enforcement powers when there are systematic failings in how a data controller is behaving (such as not having policies and procedures in place, repeated complaints or large backlogs of unanswered rights requests) and the ICO has a track record of imposing penalties in these situations.

Implications and practical actions

In terms of practical steps, organisations should:

• Review their privacy notices, procedures for handling data subject rights such as DSARs, and marketing activities (cookies, direct marketing, etc.). These are the areas that are most commonly the cause of complaints. 
• Provide a publicly accessible route for data protection complaints, such as an online form or dedicated email address. This can help ensure that data protection complaints are quickly identified and not missed amongst other communications. There is no requirement for a data subject to use a dedicated channel and complaints through other routes will still be valid.
• Draw up a policy for how complaints will be handled. This should cover keeping a log of complaints, the complaints process, who will handle complaints, an escalation channel for unsatisfied complainants, and a method ensuring that any improvements needed in response to a complaint are implemented. Although the DUA Act does not expressly require a complaints handling policy, the general duty of accountability under the GDPR (Article 5(2)) requires organisations to be able to demonstrate compliance and a complaints policy is a good way to do this.
• Assess whether existing complaints processes are sufficient or whether a new process is required. Whilst using an existing procedure may be more cost efficient, it may not ensure that the complaint is handled by someone with sufficient data protection expertise. Where the complaint covers multiple issues, a combined procedure may not result in the data protection issues being fully addressed or an inappropriate resolution may be proposed (e.g. it might be appropriate to offer a goodwill payment for poor service but that would not be appropriate where a data subject's rights have not been fulfilled.)
• Provide training to staff so that they are able to identify a data protection complaint and know what to do with it. This is especially important in customer-facing or support teams who may be regularly interacting with data subjects and will need to be able to identify a data protection complaint that has been bundled up amongst several other issues. Any onboarding or annual refresher data protection training should also be updated to cover complaint handling.
• Review and update contracts with data processors to include provisions requiring data processors to pass on complaints to data controllers without undue delay. Where a complaint is truly addressed to the data processor (i.e. outside the statutory regime), the contract should set out whether, and to what extent, the data controller should be kept informed about the complaint and / or has the right to input on, or approve, any reply by the data processor to the data subject. Controllers may wish to retain this oversight for commercial or reputational reasons.
• Consider the level of effort required to be able meet the new statutory time limits (30 days to acknowledge receipt and then a full response with undue delay) and put in place adequate resources to achieve this.
• Ensure records are kept of the internal actions taken to respond to a complaint so that it can be demonstrated to the ICO that appropriate steps have been taken without delay. The new right to complain to the data controller does not prevent the data subject from going to the ICO, and it can be expected that some data subjects will escalate to the ICO not only their substantive complaint but also any dissatisfaction with how it has been handled by the data controller.

DSAR complaints

An increasing number of complaints are made about DSARs and they are becoming more sophisticated. There have always been complaints about DSAR responses, but this has dramatically escalated in the last year – the cause is Artificial Intelligence. AI allows data subjects to get quick input on their rights and can then write for them a persuasive looking complaint within moments. On face value these complaints can look very serious, and if they are escalated to the ICO can give an immediate impression that an organisation has deeply failed in their obligations.

On closer analysis these complaints sometimes do not stand up to scrutiny. AI tends to repeat lines of argument that it has scraped from other complaints found across the internet. It cannot yet conduct an accurate analysis of the information provided in a DSAR response to determine whether there has been an infringement of a data subjects rights and whether the scraped lines of arguments apply. 

The AI will also do what it has been prompted to do – if an AI is asked to write a complaint, that's what it will do, regardless of whether there is any merit in the complaint. It will write something that sounds persuasive because that is what it has been told to do. This can also cause the AI to hallucinate incorrect facts and law. AI will fabricate legal principles and precedents to justify its reasoning and invent (or ignore) facts in order to complete the story of the complaint. Data subjects can then (understandably) take the AI's reasoning on face value and that can cause them to incorrectly believe in the strength of their position, making it harder for the true position to be understood.

The most common themes in DSAR complaints are:

• Material has been unjustifiably redacted, especially when the redaction is a third party's opinion about the data subject.
• Documents or information have not been provided.
• The scope of the search for documents was too narrow.
• In group company situations, that personal data has been provided from the wrong group companies.

When responding to a DSAR complaint:

• Acknowledge the complaint promptly, and within no later than 30 days.
• Review the complaint carefully. Split out each element of the complaint so ensure that each is addressed. Multiple rounds of complaints can be caused by not addressing all the points in one go.
• Seek clarifications from the data subject if the complaint is not clear. When talking about large numbers of documents, it can be confusing as to which documents or piece of information is being referred to. It can help to place a unique reference number on each document provided in the original DSAR response so there is a common reference system that both sides can use – using a document review system can do this automatically.
• Take the complaint back to first principles – what does the UK GDPR actually require, not just what the data subject wants. Check that any facts or law cited in the complaint are correct, and not an AI hallucination.
• Address each part of the complaint by reference to the original DSAR response. For this reason, it is critical to have kept records of the decisions made when responding to the original DSAR. This means having a documented rationale for the scope of the search for relevant data, a note of why certain documents or information were not provided, and the logic for any redactions. It can sometimes be weeks or months between the DSAR response and the complaint, and memories fade quickly. Also, there will have been dozens, if not hundreds, of micro decisions on individual documents or pieces of information. Best practice is to use a document review system that can log each decision against each document and thereby provide an audit trail that can be easily reviewed when considering a complaint.
• Take a step back and consider what the data subject is truly looking for. DSAR complaints often bundle to together a wide range of matters throwing in every possible criticism, but sometimes the true driver for the complaint is single piece of information that that data subject really wants.
• Keep the data subject updated on your progress - at least once a month, and may be sooner if there is a time pressure to move quickly. It can help manage expectations by providing a target date for the final reply if one can be confidently predicted.
• Prepare the reply to complaint with care, making sure that each point is addressed and cross referenced to the correct underlying document or piece of information. Complaints can become protracted through basic misunderstandings between data controller and data subject.
• Preserve the original DSAR response, complaint and reply for a reasonable period. This may be needed if the matter is escalated to the ICO. A maximum retention period should be set in line with the principle of data minimisation. In most cases, a year should be sufficient and justifiable but it may be longer depending on the circumstances.

WBD Clarity

WBD Clarity is a targeted solution for responding to DSARs, allowing organisations to reduce the volume of personal data, streamline the review process and undertake DSARs in an auditable manner compliant with the ICO guidance. It is fully scalable, so can be used by your organisation as a platform to manage the document review process, where individual documents can be reviewed by a WBD privacy specialist as needed, or the entire DSAR can be outsourced where there are complex elements or a high volume of documents.

WBD Cipher

Dealing with a data complaint or low-value data claim can often cost more in legal fees than the value of the claim itself. Due to the nature, volume and pattern of such claims, we have developed a cost effective solution to help organisations faced with this scenario: WBD Cipher. If you would like more information about WBD Cipher please do not hesitate to contact us.

Sources

[1] Section 103 DUA Act added a new section 164A into the DPA 2018. At the time of writing, this provision is not yet in force but is expected to be brought into force by further regulations by the end of 2025.