The UK’s data protection regulator has taken action against seven public and private sector organizations for failing to meet their obligations under the GDPR and UK Data Protection Act.

UK organizations must respond to requests by members of the public for personal information held on them, known as Subject Access Requests (SARs), within one to three months. This is a central pillar of the GDPR, which aims to improve transparency in data processing and enhance data subjects’ rights.

However, after receiving multiple complaints about the erring organizations, the Information Commissioner’s Office (ICO) was forced to step in.

The seven organizations have all been issued with reprimands, which could be escalated to more serious regulatory action if conditions are not met. Several were also given a “practice recommendation” under the Freedom of Information Act 2000, which could lead to an enforcement notice if ignored.

These organizations are:

Information commissioner, John Edwards, said the ICO would be providing citizens and organizations with support to streamline the SAR process.

“This includes developing a SAR generator to help people identify where their personal information is likely to be held and how to request it, at the same time as providing information to the organization regarding what is required from them,” he added.

“We expect all information requests to be handled appropriately and in a timely way. This encourages public trust and confidence and ensures organizations stay on the right side of the law.”

A Virgin Media spokesperson sent the following statement to Infosecurity: “We apologize that our handling of subject access requests last year was not to the standard it should have been. We have since put measures in place which have significantly improved our performance and will continue to carefully monitor this.”