Subject Access Request (SAR)

Subject Access Request (SAR)

Due to the volume of data that is held on individuals and the implementation of the GDPR (General Data Protection Regulation) businesses have a legal obligation to ensure that the data is being managed appropriately. Compliancy includes:

  • - Ensuring that the data is stored in a secure manner and that it remains confidential
  • - Technical measures are taken to test integrity of platforms hosting data, this includes such measures as carrying out penetration tests etc
  • - Ensuring that the data is not shared, used inappropriately or held too long
  • - Gaining consent and providing clear terms of conditions about why the personal data is required.
  • - Making data readily available in the event that a Subject Access Request (SAR) is made
  • - Being able to manage requests from individuals who would like their data erased (the ‘Right to be forgotten’) or data portability. (transmitting data to a new controller)

Individuals are now aware of their right to request personal data, so whether that’s because of a concern for their own privacy or as part of litigation, businesses need to be able to respond in a manner that is compliant, defensible and within a set period of time.


Subject Access Requests: using eDiscovery tools ensures compliancy and is cost effective

With the use of eDiscovery, Subject Access Requests (SARs) that involve electronic data can be managed quickly and efficiently, thus minimising the overall disruption to the business and costs involved in responding.

The Electronic Discovery Reference Model (EDRM) is a useful guide to follow to identify, isolate and extract data ready for disclosure to an individual.

Dependent on whether data is stored on multiple locations dictates what stages of the EDRM are required and in some cases parts of the process may need repeating or run simultaneously before everything can be collated. However as data is put through the EDRM process then volume decreases and the information extracted becomes relevant.


Information Governance balances the evaluation, creation, use, storage, archiving, security, compliancy and deletion of electronically stored information. (ESI). It also includes what an organisation has in place with regards to what policies, processes and standards (systems and procedures) it has adopted, thus ensuring efficient and effective use of data and mitigating risks and potentially unnecessary expenses.


Identification is a scoping exercise to establish (identify) general classed/sources of data that is relevant to the SAR. This might include such things as email accounts, the subject’s own PC, related/connected personnel, for example team members/ management, servers, (backup and cloud based as well) smartphones and tablets and accounting software. It will also include any hardcopy documents relating to the individual. These documents can be converted to electronic form if necessary and integrated with the ESI for further analysis.

Preservation and collection are processes that occur quite often simultaneously. Preservation ensures that any data identified as relevant is protected from any inappropriate alteration or destruction. Collection is pulling all the data together and collating it together ready to be processed by an eDiscovery provider. This may be as simple as putting the data onto an external hard drive, however if the SAR covers multiple and complex searches then it may require the input from a Forensic Data Team who will assist in identifying meaningful data.


Processing, Review and Analysis follows the following format:

  • - Processing will be where the ESI is converted into a form that is suitable for review and analysis and uploaded onto an eDiscovery platform such as Relativity.
  • - Review is made easier with the use of Early Case Assessment (ECA) tools which allow trends in data to be identified and also means that references to third parties can be identified and removed, ensuring that the results of the SAR is relevant to the subject only.
  • - Analysis means that the data is presented in a logical way so that reviewers can work their way through the results a lot quicker, thus saving on expense and time.

Production and Presentation ensures that the data identified is presented in a way that is concise and clear.

If your organisation is presented with a SAR then using an eDiscovery provider to collate relevant data for disclosure is both practical and cost-effective.

For full information and guidance on all aspects of GDPR and SAR then visit the Information Commissioners Office (ICO) at https://ico.org.uk

Contact us.

Call our team of specialists today on 0207 553 6970 or
email us at [email protected]
to find out how we can benefit your organisation.




All personal data are processed in accordance with UK data protection legislation. All feasible security measures are in place.