Data protection disputes in Northern Ireland, and indeed throughout the UK, are increasingly becoming the subject of civil litigation. This is being driven by three connected shifts: the tactical use of subject access requests (SARs) to obtain early information; the steady normalisation of damages claims under the UK GDPR and the Data Protection Act 2018 (DPA 2018); and growing frustration with regulatory timelines.

This article highlights recent trends we are seeing across the UK (and which are increasingly relevant in Northern Ireland) and draws out practical implications for organisations likely to be on the receiving end.

 

1. SARs as a substitute for early discovery

In the majority of civil litigation, discovery is often dealt with following exchange of pleadings. The court rules do provide a mechanism to enable a party to seek pre-action disclosure (in advance of such pleadings), but this requires additional cost and time. However, by contrast, a SAR (the right of access under Article 15 UK GDPR) is a means of accessing certain information at any time, without charge and (in most cases) must be answered within one month. In particular, the timing differential is a powerful tactical incentive for prospective claimants and their advisers.

There are some types of disputes where a SAR can be used particularly effectively to frontload information gathering at an early stage and even inform the grounds for dispute; such as in employment, professional negligence, financial services complaints and data breach claims.

Whilst there can be some overlap between the two options, the SAR route is not always an appropriate substitute for a formal pre-action discovery request or application as the documents required to be disclosed may be much more limited, for example, if they relate to a third party. As ever, this places an onus of vigilance upon companies whenever they receive a SAR.

For organisations in Northern Ireland, the trend means SAR readiness is no longer just a compliance function but is now a matter of litigation-risk control. The one month deadline, combined with the breadth of “personal data” and the volume of modern communications, means SAR handling is often the first substantive battleground in a dispute.

We do also see that controllers sometimes assume that a SAR can be resisted if it is made for the “wrong” reason, such as to obtain material for litigation, however the courts have not been prepared to easily accept that a SAR is invalidated simply because there may be an ulterior motive (such as considering litigation).

Practical steps that can reduce the risks to businesses include: (1) having a triage process that identifies when a SAR is likely to be dispute driven; (2) maintaining good records of data sources and custodians; (3) following a documented and defensible search methodology; (4) reserving sufficient time to consider privilege and exemptions ; and (5) establishing audit-quality record keeping processes so that, if challenged, the organisation can evidence a reasonable and proportionate approach.

 

2. Damages claims for data protection breaches are becoming routine, not exceptional

The UK GDPR provides a right to compensation for material and non-material damage under Article 82. The DPA 2018 supplements this, including by expressly stating that “non-material damage” includes distress.

The Court of Appeal’s decision in Farley and others v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 is a significant recent development, and one which has not been especially welcomed by businesses in Northern Ireland. The judgment is widely considered as lowering a perceived hurdle to low value claims, including by expressly rejecting an approach that would have required proof that personal data was disclosed before a claim could proceed. Permission to appeal the decision to the Supreme Court has recently been granted so the final word on this is still to come and we will be keeping this under close review.

For Northern Ireland controllers, processors, litigators and in-house teams, the direction of travel matters more than any single case. The practical point is that damages claims are increasingly being pleaded as a standard remedy, often alongside other privacy causes of action, and organisations should assume that individuals will increasingly look for compensation rather than solely corrective steps.

Recent settlements offered, for example, in respect of the HIA and PSNI data breach claims in Northern Ireland have been widely publicised in mainstream media and will undoubtedly reinforce public understanding of individuals’ rights to redress.

 

3. The ICO can’t award compensation and delay may be nudging complainants towards court

A central driver of civil claims is that the ICO does not have the jurisdiction to award compensation to data subjects. Indeed, the ICO’s complaints page state clearly that individuals seeking financial redress must pursue it independently, including via the courts if necessary.

This may be coupled with the ICO’s reporting that (as of the date of this article) complaints which require detailed consideration can take up to 40 weeks just to have a case officer assigned, to suggest that individuals will look to civil claims as an alternative option; especially in circumstances where individuals are  concerned about evidence preservation or their primary objective may be compensation. Litigation may also prompt faster engagement especially where insurance notification and court time limits are triggered.

A careful caveat is however needed here: regulatory enforcement and civil litigation are not mutually exclusive. A well prepared ICO complaint can still be strategically useful, including as a way of generating regulatory scrutiny or strengthening settlement posture and this remains a point of concern for businesses here.

 

4. Common patterns we see in pleaded cases

“Kitchen sink” pleadings and parallel causes of action

Data protection claims are frequently pleaded alongside misuse of private information, breach of confidence, negligence and sometimes defamation or harassment (depending on facts). This is partly because the factual matrix overlaps and partly because claimants will often seek to maximise available remedies and to circumnavigate procedural hurdles.

Litigation about the SAR itself

Increasingly, how SARs are handled becomes a dispute within the dispute. Allegations include delay, incomplete or inadequate searches, improper reliance on exemptions and inadequate explanations. The ICO’s SAR guidance is often used as an informal benchmark for what a court may regard as reasonable controller behaviour, so careful consideration of controllers’ responsibilities in dealing with SARs remains highly important.

A growing focus on governance evidence

Whether a data protection claim arises from a cyber incident, a misdirected email or an internal process failure, liability arguments are increasingly focussed on matters of governance, including scrutinising: documented security measures; training records; retention schedules; impact assessments; incident response logs and audit trails showing timely decision making. This is the practical battleground behind the pleadings which will already be familiar in typical employers and public liability matters and will increasingly take priority in data protection matters.

 

5. Practical takeaways for Northern Ireland organisations

1. Treat SARs as potential pre-action steps. Build a repeatable process that can withstand scrutiny, including defensible searches and careful application of exemptions and privilege.
2. Assume damages will be claimed, even where the incident seems minor. Assess the risk of distress-based allegations and consider causation, harm and mitigation.
3. As the ICO cannot award compensation (and because most claimants are more concerned with personal compensation than regulatory fines or admonishment), many will view civil settlement as the most direct solution. Early, well-structured engagement can often be more cost effective than litigating disclosure disputes and quantum arguments.
4. Be realistic about regulatory timelines. Where the ICO states that “more detailed” complaints may take up to 40 weeks to be allocated to a case officer, organisations should plan for the possibility that claimants will issue proceedings first, particularly if they want a remedy that the ICO cannot provide.

 

For legal guidance on  how potential disputes are engaging data protection matters more frequently, or the steps that can be taken to prepare for and mitigate such matters, please contact Paul Eastwood, Pauline Walker or a member of our Data team.

While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.