Oxford Academic Tests UK and US Data Controllers

22nd August 2019 Media Law

It has recently been reported in the media that a UK based security expert, James Pavur has tested how UK and US organisations respond to a subject access request made by him for his fiancee’s data using a fictitious email address.

Mr Pavur reported his findings to the Black Hat Cyber Security Conference in Las Vegas.

By way of background, the General Data Protection Regulation or “GDPR„ as it is more commonly known, sets out the law on data protection in the European Union and came into force on 25th May 2018. The Data Protection Act 2018 is UK legislation and is intended to compliment the GDPR.

An individual (or “data subject„ as they are known under the GDPR) has the right of access to know who is holding their personal data, how that data is being used (or “processed„ as the GDPR says) and obtain a copy of the data, this right is more commonly known as a “subject access request„ (SAR).

When an individual makes a SAR, the organisation has one month to respond unless the request is complex in which case the organisation may have up to two months to respond. In any event, the organisation must let the individual know within the month that they will be taking longer.

The media reports say that Mr Pavur made the SAR in writing and speaking broadly there were three outcomes.

Ignorance is Bliss

Smaller companies tended to ignore Mr Pavur’s request. This in of itself would be a breach of the GDPR because, as was explained above, an organisation has one month to respond. A failure to respond in that timeframe would result in an individual potentially being able to claim damages for distress from the data controller and may give the individual the right to apply to the Court for an order to force the data controller to provide a copy of the data.

Data breach

Some organisations, which tended to be the medium sized organisations, provided Mr Pavur’s fiancee’s data to him. This would be regarded as a data breach, without the correct authority being in place, and would give rise to Mr Pavur’s fiancee potentially being able to claim for damages from the data controller.

Correct Approach

Larger organisations, presumably because of better training and more advanced internal processes, requested photo ID before responding comprehensively to the SAR.

Under the GDPR a data controller can request identification if they are unsure who is making the SAR.

Mr Pavur reported to the conference that 60 pieces of his fiancee’s personal information were exposed to him, which included a list of his fiancee’s overnight stays, a list of rail journeys and her exam grades.

Mr Pavur is an academic and expert in cyber security and his SAR’s were made for reporting purposes for his paper, and with his fiancee’s consent, however, we would strongly discourage anyone from making improper SAR’s.

If you have been the victim of a data breach or if you have made a SAR and not received a response within one calendar month or have received an inadequate response, you may be entitled to compensation and have other relevant rights of action.

Talk to Us

For more information contact the Data Law team at JMW Solicitors on 0345 872 6666 or complete the web form and a member of the team will contact you.

We're Social

Dominic Walker is a Solicitor located in Manchesterin our Media Law department

View other posts by Dominic Walker

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest