The ICO Issues Enforcement Action Against Bristol City Council

The Information Commissioner’s Office (ICO) has issued an enforcement notice to Bristol City Council, highlighting critical failures in handling subject access requests (SARs). This case serves as a reminder of the importance of data protection practices and the consequences of non-compliance with UK GDPR requirements.

The Scale of the Problem

Bristol City Council faced serious challenges with their data protection obligations, accumulating a backlog of 231 overdue SARs as of June 2025, with some requests dating back to January 2022 – over three years old. The council received 961 SARs between April 2023 and March 2024 but managed to respond to only 400 (42%) within the statutory timeframe.

Sally-Anne Poole, Head of Investigations at the ICO, stated: “Subject access requests are a fundamental right that allows people to know what information organisations hold about them and how it is being used. Despite our repeated engagement with Bristol City Council over a sustained period of time, limited progress has been made to clear a backlog of requests”.

Key Violations and Requirements

The enforcement notice requires Bristol City Council to take several immediate actions:

• Contact all individuals with overdue SARs to notify them of delays
  
• Provide outstanding SAR responses by setting deadlines, with the oldest cases from 2022 to be resolved within 30 days
  
• Give weekly progress updates to the ICO until all overdue SARs are resolved
  
• Create and share an action plan within 90 days to address the SAR backlog
  
• Within twelve months, make system and process changes, including adequate staffing and staff training
  

How GDPR Local Can Help

GDPR Local specialises in preventing exactly these types of compliance failures. With over 4,000 clients globally and more than 1,000 data protection issues resolved, the company offers solutions that could have prevented Bristol City Council’s predicament.

Subject Access Request Management

GDPR Local provides services to support the data subject request process. We help organisations track, manage, and respond to requests within the required timeframes, preventing the accumulation of backlogs that troubled Bristol City Council.

Data Protection Officer Services

We offer experienced, certified Data Protection Officers who work closely with senior management teams to meet data protection obligations. This level of expertise could have provided Bristol City Council with the strategic oversight needed to maintain compliance and prevent the organisational attitude issues highlighted by the ICO.

Training and Implementation Support

GDPR Local also provides tailored compliance training for teams and comprehensive implementation programs. The Bristol case highlighted significant training gaps, with the council stating at one point that there were no training materials for their Disclosure Team. GDPR Local’s approach addresses these fundamental weaknesses through structured training programs.

Ongoing Compliance Support

Long-term strategic governance and support relationships, providing the sustained attention that data protection compliance requires. Bristol City Council’s problems developed over the years, suggesting that ongoing professional support might have prevented the escalation to enforcement action.

Representative Services

For organisations processing data of EU/UK/Swiss citizens, GDPR Local provides Article 27 Representative services, including support during regulatory investigations. This service could prove invaluable for organisations facing ICO scrutiny.

Lessons for All Organisations

The Bristol City Council case demonstrates that resource constraints and complexity are not acceptable excuses for data protection failures. The ICO made clear that organisations must demonstrate compliance with their obligations.

GDPR Local’s all-around approach addresses the root causes identified in this enforcement action: inadequate staffing, insufficient training, poor organisational attitudes toward compliance, and a lack of systematic processes for handling data subject requests

With data protection becoming increasingly monitored by regulators, organisations cannot afford to treat compliance as an afterthought. The Bristol case demonstrates that enforcement action can arise from sustained non-compliance, necessitating extensive remedial action and ongoing regulatory oversight.