Privacy operations briefings — DSAR enforcement, retention penalties, and engineering patterns (19 Feb 2025)

UK Home Office DSAR backlog enforcement — automation gaps triggered ICO action

The UK ICO issued a July 2022 enforcement notice against the Home Office after a surge of over 21,000 unanswered subject access requests exposed brittle triage and automation that could not keep pace with volumes.

On 6 July 2022 the UK Information Commissioner's Office served the Home Office with an enforcement notice for missing statutory deadlines on more than 21,000 subject access requests. The backlog stemmed from fragmented intake tooling, limited automation for identity checks, and scarce case-handling capacity. The notice required cleared queues, validated workflows, and sustained compliance with GDPR Article 12 response timelines. Teams reliant on automated DSAR portals without adequate exception handling or staffing should run queue depletion plans, add manual fallback paths, and monitor aging to prevent similar enforcement.

Instrument DSAR portals with aging dashboards and alerts when requests approach the one-month GDPR response limit.
Add manual fallback procedures for identity verification and data discovery so automation failures do not block responses.
Stage surge staffing and triage playbooks that prioritize overdue requests and regulator escalations.
Audit vendor-managed DSAR tooling for queue integrity, retention, and export accuracy before regulators ask for evidence.

Sources: ICO enforcement notice to the Home Office (6 July 2022); GDPR Article 12.

Clearview AI ordered to honor DSARs and delete scraped images after EU rulings

France’s CNIL and Italy’s Garante both fined Clearview AI €20 million in 2022 for unlawful scraping and for refusing to satisfy access and deletion requests from EU residents.

Regulators in France and Italy issued €20 million penalties and deletion orders against Clearview AI in 2022, citing failure to process data subject access and erasure requests alongside illegal biometric scraping. CNIL’s October 2022 formal notice and the Garante’s March 2022 decision each required Clearview to stop collecting images of EU residents and to honor DSAR workflows with verifiable exports and deletion confirmations. The cases highlight how automated denial of access requests or opaque opt-out flows trigger maximum GDPR sanctions when combined with high-risk processing such as facial recognition.

Test DSAR portals with real resident requests to verify export completeness and prompt deletion workflows for biometric data.
Record evidence of opt-out processing, including hash deletion and model retraining steps, for regulator review.
Block collection of high-risk data from jurisdictions with active enforcement orders until DSAR compliance is proven.
Publish transparency notices that enumerate data sources, retention, and redress options for data subjects.

Sources: CNIL €20m sanction and deletion order (October 2022); Italian Garante €20m ban and fine (March 2022).

CNIL Doctissimo fine — health forum data retained without limits

The CNIL fined health website Doctissimo €380,000 in June 2023 for keeping account, quiz, and health questionnaire data indefinitely and for weak consent management.

On 15 June 2023 France’s CNIL imposed a €380,000 fine on Doctissimo after finding the site retained health-related quiz responses and account data without defined retention schedules and collected consent via pre-ticked boxes. CNIL ordered the operator to set explicit retention periods, purge legacy health data, and secure user consent flows in line with GDPR Articles 5(1)(e) and 7. The case illustrates how absent retention controls on special-category data attract enforcement even without a breach.

Map all data stores holding special-category or questionnaire responses and assign retention periods per purpose.
Automate deletion and archival workflows with audit logs that prove when each category is purged.
Replace pre-ticked or bundled consent with explicit, granular opt-ins and renewal prompts for sensitive data.
Re-run DPIAs on health data processing to confirm retention and consent controls meet GDPR expectations.

Sources: CNIL €380k sanction against Doctissimo (June 2023); GDPR Article 5(1)(e).

AG2R La Mondiale €1.75m penalty for excessive data retention

CNIL’s May 2023 decision against insurer AG2R La Mondiale cited eight-year retention of inactive customer data and insufficient security, resulting in a €1.75 million fine.

France’s CNIL fined AG2R La Mondiale €1.75 million on 25 May 2023 after audits showed personal data from lapsed insurance contracts was kept up to eight years without necessity and stored with inadequate access controls. The decision invoked GDPR storage limitation and security principles, ordering the insurer to enforce retention schedules, delete stale customer files, and strengthen authentication. The case underscores how regulators review retention discipline alongside security posture when assessing compliance.

Implement automated lifecycle rules that purge customer records once contractual and statutory retention windows close.
Tie retention timers to line-of-business systems so contract status changes immediately adjust deletion schedules.
Require strong authentication and least-privilege roles on archives that hold in-scope personal data.
Document legal holds separately to prevent blanket retention of expired customer files.

Sources: CNIL €1.75m fine for retention and security failures (May 2023); GDPR Article 32.

Privacy engineering patterns anchored in NIST and ENISA guidance

NIST’s Privacy Framework and ENISA’s 2023 Data Protection Engineering report provide reusable patterns—data minimisation, differential privacy, strong logging boundaries—that keep DSAR and retention controls auditable.

The NIST Privacy Framework (v1.0, January 2020) and ENISA’s 2023 Data Protection Engineering report catalogue engineering patterns that operationalise privacy by design. They emphasise data minimisation, purpose limitation, differential privacy for analytics, immutable audit logs with strict role boundaries, and testable DSAR/erasure APIs. Adopting these patterns tightens retention enforcement and makes DSAR exports reproducible because data flows, identifiers, and deletion hooks are instrumented from the start.

Adopt the NIST Privacy Framework catalog to map DSAR and retention controls to system components and owners.
Implement data minimisation and purpose tags at the schema level so retention and erasure rules can be enforced automatically.
Use privacy-preserving analytics (e.g., differential privacy) where aggregate reporting is sufficient, reducing DSAR scope.
Add authenticated APIs and audit logs for DSAR exports and deletions to prove completeness during regulator reviews.

Sources: NIST Privacy Framework 1.0; ENISA Data Protection Engineering (2023).