DSAR Compliance Is Evolving: Why California’s Enforcement Action Is a Wake-Up Call for UK Businesses

The California Privacy Protection Agency’s (CPPA) recent enforcement action against a company for mishandling Data Subject Access Requests (DSARs) has captured global attention.

Although this case was brought under the California Consumer Privacy Act (CCPA), its lessons are highly relevant to businesses operating under the UK GDPR and EU GDPR.

For UK organisations, this is a timely reminder: regulators around the world are tightening their focus on DSAR compliance. The message is clear — treating DSARs as a simple compliance checkbox is no longer acceptable.

What Happened in California?

In a landmark move, the CPPA issued a Stipulated Final Order after finding that a company failed to handle DSARs properly.

Key issues highlighted included:

• Delays in acknowledging requests

• Incomplete data disclosures

• Poor communication with requesters

In short, the organisation failed to meet its obligations to respond in a timely, accurate, and transparent manner.

While this particular enforcement action took place in the United States, the underlying expectations mirror those of the UK GDPR — where the right of access is a fundamental data protection principle.

Why It Matters for UK Businesses

Under the UK GDPR, organisations must respond to DSARs within one calendar month of receipt. Extensions are possible only for complex cases, and even then must be clearly justified.

Failure to comply can result in:

• Regulatory investigations and complaints to the Information Commissioner’s Office (ICO)

• Financial penalties for non-compliance

• Reputational damage due to poor handling of individuals’ data rights

The CPPA’s action is a signal to UK businesses: regulators are becoming less tolerant of poor DSAR processes, regardless of geography.

Common DSAR Pitfalls — and Why Manual Processes Fall Short

The CPPA case shines a light on weaknesses many UK businesses also face:

• Manual DSAR tracking through spreadsheets or emails

• Disconnected data sources making data discovery difficult

• Inconsistent or incomplete identity verification

• Errors in data redaction

• Lack of clear, auditable records of DSAR handling

As data volumes grow and request complexity increases, manual processes inevitably increase the risk of:

• Missed deadlines

• Incomplete responses

• Inadvertent disclosure of third-party or sensitive data

This is no longer sustainable in an environment of rising regulatory scrutiny.

How UK Organisations Can Strengthen DSAR Compliance

The takeaway is clear: proactive DSAR management is now essential for organisations that want to maintain compliance and avoid regulatory attention.

Investing in modern DSAR automation tools and robust workflows delivers several key benefits:

• Automated intake and identity verification to streamline the process

• Integrated data discovery across cloud and on-premises systems

• AI-assisted redaction to minimise errors and protect sensitive data

• End-to-end audit trail to demonstrate compliance if challenged

• Faster response times, improving trust with customers and employees

Solutions like DSAR.ai help UK businesses build a DSAR process that is:

• Scalable

• Defensible

• Consistent

• Efficient

While automation does not replace legal and privacy expertise, it provides the necessary foundation to manage today’s DSAR demands effectively.

Final Thoughts

The CPPA’s enforcement action may have been directed at a U.S. company, but the underlying message is global:

DSAR obligations are being taken seriously by regulators everywhere.

UK organisations should treat this as a timely wake-up call. Manual, fragmented DSAR handling is no longer fit for purpose — and failing to modernise could put your business at risk.

By reviewing and upgrading your DSAR processes now, you can:

• Stay ahead of regulatory expectations

• Protect your organisation from fines and complaints

• Build trust through transparent, professional handling of data rights

In today’s evolving privacy landscape, that is not just good compliance — it is smart business.

Interested in learning how DSAR.ai can help you automate and streamline your DSAR workflows?
Request a demo to see how we can support your organisation.