The warning follows the case of Liberal Democrat MP Norman Baker who took MI5 to tribunal this summer to get access to files he believed were held on him.
Although MI5 argued that it was exempt from data protection legislation on the grounds of national security, the tribunal ruled that the security services should work on a case-by-case basis.
Michael Clinch, senior consultant at IT law firm Picton Howells, said the case has implications for all organisations and businesses. "In terms of private businesses, they have to be aware of their obligations," said Clinch.
"Anyone who expects requests for information needs to be prepared to deal with these requests and has to make sure that the internal infrastructures are in place to deal with them. Companies have to deal with these requests positively and on an individual basis."
Clinch said it is good management practice to put in place an internal policy for handling the processing of requests. He added that larger firms should have a person whose job is to deal with the processing of each application.
The Data Protection Act states that individuals should expect a reply to their request within 40 days. Companies that do not comply could end up in court.
Read more on IT legislation and regulation
MI5 accused of withholding surveillance compliance failures from cabinet minister
MI6 apologises after attempt to interfere with intelligence court
MI5 slammed by watchdog for failing to delete intercepted phone and internet data
MI5 failed to disclose failings in handling intercepted data, court hears