The £15,000 fine imposed on a company for failing to comply with a data subject access request (DSAR) is a salutary reminder that (a) the DSAR regime has teeth and (b) the Information Commissioner’s Office and the courts are prepared to bite.

In this case, it appears that an American citizen submitted a DSAR to SCL Elections (SCL), the parent company of Cambridge Analytica. SCL's response was to refuse to comply on the basis that the individual was not a UK citizen (the wording of its refusal is an interesting read).

The American citizen took the issue to the ICO and SCL was given an enforcement notice. It ignored this, leading to the prosecution and financial penalty.

The introduction of the EU General Data Protection Regulation and the Data Protection Act 2018 have significantly altered the legislative framework, and raised awareness of individuals’ data rights. Organisations should ensure they have structures in place to spot DSARs and respond to them in a proper way, within the statutory timeframes. That can sometimes involve significant resource but, as this fine demonstrates, simply doing nothing is usually a very poor option.