DSAR Mistakes to Avoid: High Court’s Top 5 Lessons

A pivotal High Court case pitting Sports Direct founder Mike Ashley against HMRC over a data subject access request (DSAR) delivers actionable insights for businesses navigating these requests. Decided in January 2025, this ruling offers a treasure trove of lessons on compliance and strategy, spotlighting how organizations can sharpen their approach to DSARs.

Origins of the Conflict

Mike Ashley sold a portfolio of properties in 2012, sparking a dispute when HMRC contested his valuation. By 2016, Ashley faced a £13.6 million tax bill, which he successfully appealed and saw withdrawn months later. Unfinished, he invoked Article 15 of the UK GDPR, demanding all data HMRC held on its inquiry into him since 2011. HMRC’s response was lacklustre initially nothing, then just correspondence with his team prompting Ashley to sue. The court sided with him, ruling HMRC fell short of its legal duties.

1. Defining Personal Information

The court rejected HMRC’s narrow view of personal data, expanding the definition to include information tied to an individual by its content, purpose, or effect. Ashley’s property valuations, used to calculate his tax liability, qualified as personal data; comparable properties did not. This broader lens applies beyond tax scenarios to contexts like employee disputes.

Action Steps: Companies must recognize that personal data extends to anything affecting or evaluating an individual, not just direct identifiers. Assess each piece of information individually for its link to the person, ensuring a consistent approach across teams. Maintain transparency by logging decisions an audit trail proves invaluable if challenged.

2. Smarter Data Delivery

UK GDPR mandates DSAR responses be concise, transparent, and clear. HMRC’s heavily redacted extracts often just Ashley’s name, failed this test. The court insisted on adding context when needed to make data meaningful, enabling individuals to verify processing legitimacy or exercise rights like erasure.

Action Steps: Ensure redactions preserve intelligibility ask, “Does this still make sense?” If not, include enough context to clarify the data’s relevance and use. Contextul software has data classification labels which detail the text being redacted which would have been very helpful in this case.

3. Setting Search Boundaries

HMRC wrongly confined its search to one department, ignoring data held elsewhere despite knowing better. The court demanded a comprehensive approach, spanning all areas where personal data might reside.

Action Steps: Adopt a “whole business” search strategy, unrestricted by internal silos. Expect demands to search across group companies, especially where services overlap, and prepare a robust response even if entities operate independently.

4. Balancing Search Efforts

HMRC claimed broader searches were “disproportionate,” citing 150 hours spent on one department. The court dismissed this, noting their flawed method and emphasising that time alone doesn’t excuse a limited search especially for a resource-rich entity like HMRC.

Action Steps: Redefine “reasonable” searches by focusing on scope and fairness, not just hours spent. Scale efforts to your organisation’s capacity to meet compliance demands effectively.

5. Leveraging Exemptions Wisely

HMRC leaned on a tax exemption, arguing disclosure could hinder tax collection. The court set a high bar “likely” means a “very significant and weighty chance” backed by evidence. With Ashley’s dispute resolved, HMRC’s claim lacked proof and crumbled.

Action Steps: Apply exemptions precisely to specific data points, not broad categories. Provide concrete evidence of potential harm, anticipating this standard in areas like employment negotiations or forecasting.

Key Takeaways for Compliance Leaders

This case underscores a critical truth: refusing to disclose anything in a DSAR rarely resolves the issue. Ashley’s persistence after HMRC’s scant response proves that inadequate replies fuel escalation. Businesses must deliver meaningful responses to avoid pushback and legal risks.

Contextul’s Perspective

This ruling not only clarifies court expectations for DSAR compliance but also reinforces access as a cornerstone right unlocking others. Few disputes reach litigation due to cost, yet cases like Ashley’s amplify awareness, driving more DSARs. Businesses must tighten systems there’s no margin for error.

Postscript: Contextul’s dedicated DSARaaS team excels in employment-related requests, offering flexible support from quick advice to full DSAR management and processing. Without a solid plan, DSARs drain resources contact us to streamline your process and stay ahead.