Data protection fine for UK housing developer

A UK housing developer has been issued with a financial penalty for failing to respond adequately to a Subject Access Request (SAR).

 The Information Commissioner’s Office (ICO) released a statement recently, in which financial penalties of nearly £1,500 were broken down following Magnacrest’s inadequate compliance with data protection standards a number of years ago.

The punishments stem from a Subject Access Request made on 17th April 2017 made by an unnamed individual who also a cheque for £10 to cover administration costs – a sum that the firm is legally allowed to charge for SAR processing.

When Magnacrest failed to respond to the individual’s request for data within the prescribed 40-day time period, emails and phone calls from the UK data protection regulator – the ICO – also went unheeded.

An enforcement notice was imposed by the ICO at the end of January 2018. Magnacrest’s failure to comply with the SAR and subsequent enforcement notice constituted a criminal offence under data protection law, leading to a charge to which the housing developer pleaded guilty on Wednesday of last week at Westminster Magistrates Court.

As the offence centred upon a SAR submitted two years ago, the enforcement was issued under the Data Protection Act 1998, so a £300 fine applies. However, Magnacrest must now also pay prosecution costs of £1,133.75, plus a victim surcharge of £30.

If the offence had been committed in the era of the General Data Protection Regulation, which came into force on May 25th 2018, the financial penalty would have been significantly higher for the Buckingham-based firm.

The ICO’s criminal enforcement manager, Mike Shaw said:

“The right to access your own personal information is a fundamental and long-standing principle of data protection law. New laws brought into effect last May strengthen those rights even further.

“Organisations not only have to respect this right but must also respect notices from the ICO enforcing the law. If they fail to do so then they must accept the consequences, which can include a criminal prosecution.”

Under the GDPR, organisations now have 30 days to respond to a Subject Access Request, although this can be extended by a further two months if the request is complex, or if a number of requests from one individual have been received.

Organisations must notify individuals within one month of receiving the SAR and explain why the extension is necessary.


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.