LV Liverpool Victoria - Your rights ignored

Unfortunately individuals having their Data Protection (GDPR) trampled upon isn’t rare. It seems apparent that many organizations will ignore them altogether or lie to you if you call them out on it.

Liverpool Victoria (LV) is one such example where I have had this happen to me yet again, a Subject Access Request (SAR), and a complaint process that exposed how poorly some organizations, and even regulatory bodies are when it comes to understanding basic data protection

Many people don’t understand their rights and so organizations will usually get away with this nonsense, but i know my rights and what followed isn’t confusion or misunderstanding it’s a systemic failure to take data protection seriously.

Background to my SAR

In 2022 my boiler failed. I contacted LV to ask whether it was covered by my current policy. It wasn’t. I made no claim.

Fast-forward to 2023. While shopping around for insurance, another insurer told me there was something on my record that was affecting my premiums. Insurers share data. I had no visibility of what was being shared, whether it was accurate, or how to correct it.

So on Sunday 23 July 2023, I made a Subject Access Request to LV asking for:

• The personal data they held about me
• Any shared databases or disclosures to third parties

This wasn’t theoretical. It potentially had a direct financial impact on me.

Silence, reminders, and more silence

I received no response. I followed up on Friday 18 August 2023, stressing the importance and urgency of the request. Again: no response.

At this point:

• My legal rights were being infringed
• I had no way to correct potential errors
• My insurance costs may have been unfairly inflated
• I couldn’t speak to a human who could resolve it

Such problems are exacerbated and will get worse with AI, as automated systems, chatbots, and opaque profiling start to take over. Without strong enforcement of data rights, individuals are left powerless.

Information Commissioner’s Office (ICO)

After LV had clearly breached my rights by failing to respond, I raised the matter with the ICO. It’s not exactly clear what their process is but I think they send out emails/letters to parties when someone complains, because shortly after the ICO became involved, LV responded in November 2023, over 3 months after I made my SAR.

They:

• Supplied the data
• Apologised for the delay
• Asserted they had fully complied with their obligations

That last point is crucial.

They did not apologize for breaching my rights. They explicitly stated they believed they had complied with the law. It was very clear they hadn’t given the time elapsed. They used the excuse that they had to contact a 3rd party. However this does not change the legal requirement for them to respond.

The law is not ambiguous here

Under the Data Protection Act / UK GDPR, a controller must respond to a SAR:

• Without undue delay
• Within one month
• Or explicitly notify the data subject if an extension is required

LV:

• Missed the deadline
• Did not request an extension
• Did not notify me
• Responded months later

The ICO confirmed, based on the information they received, that LV was in breach.

Despite this, LV maintained the position that they had complied.

That leaves only two possibilities:

1. They were knowingly misrepresenting the law to deny liability
2. They are grossly negligent in understanding their legal obligations

Neither is acceptable.

“Compensation” and quiet compliance

LV issued a £100 cheque alongside their final response. This was clear attempt to refund my policy and make the problem go away, hoping I’d accept their framing (lies) that this was merely a service delay, not a legal breach.

I do not accept that position. Apologising for lateness while denying a breach is not accountability. It’s gaslighting.

Financial Ombudsman

Because LV’s complaint response was inadequate, and the ICO had identified a breach I escalated the matter to the Financial Ombudsman Service.

What followed was deeply concerning.

The ombudsman:

• Framed the issue as a general service complaint
• Focused on “fairness” rather than legal rights
• Insisted the issue related to the underwriter, not LV

This is wrong.

I made a SAR to LV as they are the data controller and party i contracted with. LV failed in its obligations whcih include its relationships with 3rd parties. They should have plicies and procedures in place that allow them to take care of their data protection obligations.

Furthermore, even if I had made the request to the incorrect party, they are obligated to respond i na timely manner to advise they do not hold the data.

That even the financial ombudsman struggled with this distinction should worry anyone who cares about data protection in regulated industries.

Why this matters beyond my case

This isn’t about £100.

It’s about organizations:

• Treating legal rights as optional
• Hoping individuals won’t push back
• Relying on complexity, delay, and authority to wear people down

It’s also about oversight bodies failing to clearly distinguish between poor service and breaches of statutory rights.

As more decisions are driven by shared databases, automated profiling, and AI systems, access to — and control over — personal data becomes more important, not less.

If large financial institutions don’t understand (or choose to ignore) Subject Access rights, the consequences fall entirely on individuals.

Final thoughts

I don’t expect perfection. Mistakes happen, but they have to be acknowledged, otherwise nothing ever improves. Respect for legal rights and honest engagement is all I’m asking for. Instead, I’ve found that many companies have become complacent, relying on denial and misdirection to make “problems” (that is, people’s rights) quietly go away.

“Saying sorry for the delay” while denying a breach isn’t accountability. It’s avoidance.

And as for regulators and oversight bodies: if they can’t even grasp the basics, then we have a much deeper problem with compliance itself.

References

One of the key proponents in the broader dialogue around consumer rights, particularly in relation to repair, data protection, and similar issues is Louis Rossmann. He runs a YouTube channel where he discusses many of these topics in depth. The video below is a good place to start.

• “Change your profile picture to clippy. I’m serious” - Louis Rossmann
• My LG Electronics Small Claims Court Submission
• My letter to the ICO regarding LG Electronics
• YouTube Video of the problem
• “UK Small Claims Court”
• ICO - What is valid consent?
• Your rights and legal support