ICO - Rules without Teeth
Case Studies
Regulatory Cases

When Regulators Abdicate: The ICO’s Shameful Failure to Enforce GDPR

Written by John Barwell
ICO · Subject Access Requests · Regulatory accountability

A Subject Access Request should not become a procedural maze. Where a data subject is already known to the parties, has corresponded repeatedly, and seeks data needed for live legal issues, repeated identity demands can become more than administrative caution. They can become a practical barrier to rights. This case study asks whether the ICO’s response to my complaint against Balliol Property Services and Burnetts Solicitors LLP shows a regulator too willing to accept delay and too reluctant to enforce.

Category
Regulatory accountability
Jurisdiction
United Kingdom
Reading time
c. 9 minutes
Last reviewed
2 June 2026
By-line
John Barwell, Legal Lens

Publication snapshot

  • This article is a first-person case study arising from a SAR dispute involving Balliol Property Services, Burnetts Solicitors LLP and the ICO.
  • The central concern is that repeated identity-verification demands delayed access to data despite prior correspondence and apparent familiarity between the parties.
  • The ICO ultimately secured agreement that the SAR response would be provided without further ID verification, but declined to take stronger enforcement action.
  • The article argues that directing data subjects towards court action can defeat the practical purpose of regulatory protection.
  • The wider reform issue is whether the ICO uses its corrective powers robustly enough where procedural delay obstructs data rights.
Reader note: this article is first-person public-interest commentary based on the author’s experience, correspondence and analysis. References to obstruction, bad faith, delay, procedural tactics, regulatory inaction or weak enforcement are the author’s interpretation of the events described. They should not be read as findings of legal liability, professional misconduct or bad faith by Balliol Property Services, Burnetts Solicitors LLP, the ICO or any individual unless established by a court, tribunal, regulator, ombudsman or other competent authority.

Why this case matters

The Information Commissioner’s Office describes itself as the UK’s independent authority for upholding information rights. For individuals, that role matters most when a data controller delays, resists or complicates access to personal data.

A Subject Access Request is not a favour. It is one of the practical routes by which people can understand what information is being held about them, how it has been used, and whether that information is needed for a wider dispute.

This article arises from my dispute involving Balliol Property Services, known here as BPS, Burnetts Solicitors LLP, and my business, Flashback Toys Ltd. It is not offered as a final adjudication of liability. It is a case study in how procedural handling of data rights can become a barrier to justice.

Core issue: data rights are weakened when access depends on the individual’s ability to withstand delay, correspondence loops and court deflection.

The context: a dispute that moved beyond lease issues

My experience with BPS and Burnetts began as a lease dispute involving Flashback Toys Ltd. The issues included rent arrears, deposits and broader questions about how the commercial relationship was handled.

Over time, the dispute moved beyond ordinary property disagreement. My position is that BPS and Burnetts used procedural tactics that obstructed resolution and increased pressure on me as a litigant in person.

By April 2024, the data-protection issue had become central. I had made a Subject Access Request to BPS. Instead of receiving a straightforward response, the request was redirected into correspondence involving Burnetts, and further identity-verification demands were made.

Lease dispute

A commercial disagreement about rent, deposits, liabilities or contractual performance.

Data-rights dispute

A separate question about whether personal data is being accessed, delayed, withheld or processed lawfully.

The SAR dispute: verification or delay?

Organisations are entitled to take reasonable steps to verify identity where there is genuine doubt. That is not the issue. The issue is proportionality, context and motive.

In my case, my position is that BPS and Burnetts already knew who I was. They had corresponded with me repeatedly and had dealt with me in the underlying dispute. My concern is that further ID demands were not necessary verification, but a way to delay the SAR response.

That concern became sharper because BPS had, on my account, already sent personal data to my verified email address when doing so suited its own interests. If that is correct, it raises an obvious question: why was further ID suddenly required when I sought access to my own data?

How SAR delay can work in practice

  1. 1

    A data subject submits a SAR in the context of a wider legal dispute.

  2. 2

    The organisation raises further identity-verification requirements despite prior correspondence.

  3. 3

    The data subject loses time, evidence access and litigation momentum.

  4. 4

    The regulator later secures compliance, but without meaningful consequence for the delay.

The ICO response: resolution without enforcement

After months of frustration, I complained to the ICO. On 13 December 2024, the ICO told me that it had secured agreement from BPS to provide my SAR response without further ID verification.

That was a welcome practical step. It also demonstrated the central point: the further ID demand could be removed once the ICO pressed the issue. The problem is that this happened only after delay had already caused practical harm.

The ICO declined to issue a compliance order or take stronger corrective action. In my view, that matters because a late agreement does not answer the regulatory question. If delay has already obstructed a data subject’s rights, the regulator should ask whether the conduct requires more than informal resolution.

Practical point: securing a late SAR response may solve the immediate access problem, but it does not necessarily address the delay, the tactic or the deterrence issue.

The controller-separation issue

One of the ICO’s apparent reasons for restraint was that each organisation is an independent data controller and may set its own identity-verification requirements.

As a general proposition, that may be right. Controllers have separate legal responsibilities and must make their own assessment. But the practical facts matter. Burnetts was acting as BPS’s solicitors in the wider dispute, and the identity issue arose within that working relationship.

My concern is that treating the demands as wholly separate risks overlooking the reality of how the organisations interacted. Where a solicitor is corresponding on behalf of a client and identity has already been established through that relationship, the regulator should scrutinise whether further ID demands are genuinely necessary.

Formal separation

Each data controller may have its own legal duties and may need to assess identity, security and disclosure risk.

Practical collaboration

Where organisations are acting together in a live dispute, repeated verification demands may need closer scrutiny.

The issue is not whether identity checks are ever legitimate. The issue is whether the ICO should accept controller separation as a sufficient explanation where the facts suggest a coordinated or overlapping response.

The problem with court deflection

The ICO also pointed towards legal action as a route to compel compliance. That is formally available in some cases. Data-protection law does provide court routes for orders and remedies.

But that answer can be hollow for ordinary data subjects. Court action requires time, money, procedural confidence and risk tolerance. Where the regulator has already identified a practical route to compliance, telling the individual to pursue court action can shift the burden onto the person least equipped to carry it.

Regulators exist partly because individual enforcement is often unrealistic. If a data subject must litigate every time a controller delays or resists, the protection becomes theoretical.

How regulatory burden shifts to the individual

  1. 1

    The individual complains to the regulator because direct engagement has failed.

  2. 2

    The regulator secures some movement but declines stronger corrective action.

  3. 3

    The individual is told that further enforcement may require court action.

  4. 4

    The organisation faces limited immediate consequence, while the individual carries the cost and risk.

The practical cost of ICO restraint

For me, the delay was not abstract. The withheld data was connected to a wider legal dispute. Time mattered. Access mattered. The ability to understand and evidence what had happened mattered.

The practical effect was months of uncertainty, stress and additional pressure. The delay affected my ability to progress the wider dispute and added another procedural layer to an already difficult matter.

The wider concern is not personal inconvenience alone. If organisations can use identity verification tactically, and the likely regulatory consequence is a late informal resolution, the incentive structure is wrong.

Complaint outcome

The immediate issue may be resolved when the organisation eventually agrees to provide the data.

Regulatory deterrence

The system must also deter unnecessary delay and repeated procedural obstruction in future cases.

Data protection cannot work if compliance becomes optional until the regulator intervenes, and consequence-free after the regulator intervenes.

What must change

The answer is not that the ICO should punish every late SAR response. Proportionality matters. Controllers must be allowed to verify identity where there is a real concern, and regulators must prioritise finite resources.

The reform issue is narrower and more practical: where the facts show repeated delay, inconsistent identity demands or tactical use of data-protection procedure in a live dispute, the ICO should be willing to use stronger corrective powers.

Regulatory reforms

  1. Scrutinise repeated ID demands where the data subject is already known to the controller.
  2. Escalate cases where SAR delay affects live litigation, limitation or access to evidence.
  3. Explain clearly why formal corrective action is or is not used after delay has occurred.
  4. Track repeat controller behaviour involving verification demands and delayed SAR responses.

Data-subject safeguards

  1. Require controllers to justify additional ID checks by reference to genuine doubt, not generic policy.
  2. Discourage unnecessary referral of SAR disputes to private litigation where regulatory action could resolve compliance.
  3. Require outcome letters to identify practical next steps and legal routes in plain language.
  4. Publish anonymised learning from cases where procedural delay has obstructed data rights.

Selected references

ICO correspondence dated 13 December 2024 concerning the SAR complaint and the agreement that BPS would provide the response without further ID verification.

Subject Access Request correspondence between John Barwell, Balliol Property Services and Burnetts Solicitors LLP.

UK GDPR Article 58(2), including the Commissioner’s corrective powers.

Data Protection Act 2018 sections 149–150, 166 and 167.

ICO: Action we’ve taken, including enforcement notices, reprimands, monetary penalties and prosecutions.

Practical conclusion

The ICO’s handling of this complaint raises a simple question: what is the point of a regulator if the individual must still carry the real burden of enforcement?

In my case, the ICO eventually secured movement from BPS. But by then, the delay had already done damage. The regulator’s refusal to take stronger action leaves the wider problem unresolved.

Data protection law depends on timely access, practical enforcement and meaningful consequences for obstruction. If controllers can delay, negotiate, retreat only when challenged, and face no formal consequence, the right of access is weakened for everyone.

Closing point: data rights are not protected by telling individuals to go to court after the damage has been done. They are protected when the regulator is willing to enforce before delay becomes the tactic.

John Barwell is the founder of Legal Lens, an advocacy initiative supporting litigants in person in England & Wales. Contact Legal Lens.

This article is public-interest commentary and a first-person case study. It is not legal advice, and reading it creates no professional relationship. SAR compliance, identity verification, controller responsibility, ICO complaint handling, court remedies, litigation strategy, limitation and professional-conduct issues are fact-sensitive and should be assessed by reference to the correspondence, the ICO response, the underlying dispute documents and independent legal advice where required.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar