Strategic approaches to managing subject access requests: A guide for public sector organisations

As public sector organisations face increasing volumes of subject access requests (SARs) under UK GDPR, the need for strategic approaches to managing these requests has become paramount.

Heather McKay, Senior Associate specialising in data protection, and Taylor Berzins, Associate in our data team, explore the challenges faced by public sector organisations in managing SARs effectively and offer practical guidance for developing sustainable response strategies.

The challenge facing public sector organisations

SARs are a fundamental right granted to data subjects by virtue of Article 15 of the UK GDPR. In the delicate balance between data subjects whose personal data is processed and the organisations (data controllers) who manage and use that data, lies the SAR framework. The UK GDPR grants this fundamental right to help data subjects understand what personal data an organisation processes and how, whilst importantly providing access to obtain a copy of their personal data undergoing processing.

The right is far-reaching which has led to the growing trend of SARs being used tactically by individuals as an alternate means of gaining information from organisations. A trend observed by many of our public sector clients. The problem is not only the growing volumes of SARs but also the breadth and complexity of the requests they are receiving, combined with ever-stretched resources, this creates a perfect storm of challenges.

Current trends in SAR usage

We’re witnessing an increase in SARs being deployed as tactical tools in broader disputes ranging from formal complaints procedures and internal grievances to employment or other tribunal proceedings.

Motivations behind SARs vary from one requester to another ranging from legitimate data subjects seeking access to their personal information to individuals seeking evidence for disputes who may misunderstand SAR scope and limitations. Under a SAR you are entitled to information about you, and an organisation may be entitled to redact or withhold information that is broader than this. More commonly, is the problem of mixed third-party personal data.

Where email, teams and other chat applications are a common part of life, personal data often includes an exchange between multiple people. Determining what is the personal data of a data subject making a request and other people is a fine art and not always straightforward, requiring careful analysis and application of available exemptions.

Balancing rights and resources within public sector organisations

Whilst most organisations recognise SARs as a fundamental data protection right under UK GDPR, they need to manage resource constraints in public sector organisations already facing capacity challenges.

Over the last six months, we have seen a drastic rise in SARs, placing unprecedented pressure on already stretched teams. The difficulty between upholding individuals' rights to access their personal data and maintaining operational efficiency has become problematic, particularly as the volume and complexity of SARs continue to rise.

Public sector bodies must be able to navigate this balance without compromising their statutory obligations whilst dealing with limited resources. One of the main challenges we have found for our clients is that SARs often require significant manual effort to locate, review, and redact information across multiple systems and departments, diverting staff from their core functions. Whilst resource constraints are a real problem, they cannot justify non-compliance. Instead, organisations must treat efficient SAR handling as an essential part of good governance and accountability. 

Strategic solutions: Three key approaches

1. Establish robust foundations: If resources permit, identify dedicated SAR response teams, create standardised procedures, and provide your staff with comprehensive training on recognising SARs, understanding the scope and applying exemptions effectively.
2. Clarify the scope of the request: Understanding what is genuinely being requested and engaging proactively with data subjects to narrow overly broad requests can significantly streamline the process. 
3. Leverage upcoming changes: The Data (Use and Access) Act 2025 introduces 'reasonable and proportionate' search requirements under Article 15 of the UK GDPR. Whilst interpretation remains to be established, this change should provide welcome relief for organisations managing complex, large-scale requests.

Making the most of your SAR request

From a requester's perspective, how can you maximise the effectiveness of your request given the constraints facing information governance teams across the public sector? Firstly, be concise; can you clearly articulate what you want? Whilst you don’t have to provide a reason for your request, the clearer you can be, the more useful the results. Specify the date range and, to avoid your request being rejected as excessive, consider limiting it to key dates.

Don’t hesitate to reach out to the organisation for assistance and respond promptly if they ask for guidance in clarifying or narrowing your request.

Moving forward

Effective SAR management requires strategic planning, proper resources, and a collaborative approach. Professional training and specialised support services can help organisations develop sustainable approaches to managing increasing request volumes whilst maintaining compliance and service quality.

We encourage you to review your current SAR processes: Are your teams properly equipped? Do you have clear, standardised procedures? Could your response times be improved? Are you making the most of available exemptions?

Taking action today can prevent tomorrow's compliance challenges.