Mike Ashley Triumphs in High Court Battle with HMRC Over Subject Access Request: What Businesses Can Learn

30 January 2025

Sports Direct tycoon Mike Ashley has won a recent High Court case against HMRC regarding its handling of a subject access request (SAR) previously submitted by Ashley.

The dispute arose from Ashley’s sale of properties, during which HMRC challenged the valuation and issued a tax demand of £13.6 million in 2016. Despite later withdrawing the demand after admitting procedural errors, Ashley submitted a SAR requesting “all information” held on him by HMRC. The High Court found that HMRC provided only a fraction of the relevant data, adopting an unduly restrictive approach.

This article examines the legal obligations of organisations when responding to a SAR and what businesses can learn from this case.

What is a Subject Access Request (SAR)?

A SAR is a legal right granted under both the GDPR and the Data Protection Act 2018, allowing individuals to request information about the personal data an organisation holds on them. When a SAR is made, the organisation must provide:

A copy of the personal data it holds on the individual.
Details about how and why the data is being processed.
Information on any third parties to whom the data has been disclosed.

Key Legal Obligations for Businesses When Responding to a SAR

Timely Response – Businesses must respond within one month. In complex cases, an extension of up to two months is allowed, but the individual must be informed.
Provide Complete Information – Responses must include details on data processing purposes, categories, recipients, retention periods, and the individual’s rights regarding their data.
Verify Identity – Businesses can request proof of identity but should not ask for excessive information.
Apply Exemptions Where Necessary – Some data may be withheld if disclosure affects the rights of others or involves legal privilege.
No Fees – SARs must be fulfilled free of charge unless the request is excessive or unfounded, in which case a reasonable fee may be charged.

What Can Businesses Learn from the Mike Ashley Case?

Respond Promptly & Accurately – Ensure SARs are handled within the legal timeframe and that all relevant data is provided to avoid regulatory penalties.
Implement Clear Procedures – Assign a dedicated team, train staff on compliance, and maintain records of SARs to streamline responses.
Mitigate Data Protection Risks – Regularly audit data practices to ensure security, accuracy, and lawful processing.
Prioritise Transparency – Clear communication about data handling builds trust with customers, employees, and regulators while demonstrating compliance.

How to Properly Handle a Subject Access Request

To ensure compliance with SAR requirements, businesses should follow these steps:

Acknowledge the Request: Confirm receipt in writing and outline the expected response timeframe.
Verify the Identity: If necessary, request proof of identity to prevent unauthorised access.
Review and Identify Relevant Data: Conduct an internal search for data within the scope of the SAR, ensuring no irrelevant or confidential data is mistakenly included.
Provide the Data: Supply the individual with a copy of their data in a clear, accessible format, explaining any redactions or exemptions applied.
Document the Process: Keep a record of the SAR, including actions taken and responses provided, to demonstrate compliance in case of an audit.

Conclusion

Mike Ashley’s case against HMRC underscores the importance of complying with Subject Access Requests and the potential legal and reputational risks of failing to do so. By ensuring timely, accurate, and transparent responses, businesses can avoid penalties and enhance trust with their employees, customers, and stakeholders.

To navigate the complexities of data protection law and SAR compliance, businesses should implement clear policies, conduct regular audits, and provide staff training.

If you need assistance in ensuring compliance with data protection regulations, please contact Berry Smith at 02920 345511 and ask for the commercial team, or email commercial@berrysmith.com.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.