0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

SAR support

< Return to Back to Business hub

Minimising the disruption of Subject Access Requests on your business

Data protection legislation gives individuals the right to request a copy of their personal data- known as a subject access request (SAR). The purpose of a SAR under data protection legislation is to allow individuals to see how their personal data is processed. We are increasingly seeing SARs made in the context of a grievance or other litigation - sometimes in circumstances where the requester is looking for a ‘weapon’ to support their claim or, increasingly, wants to cause a nuisance (on the basis that SARs are notoriously very expensive for businesses to comply with and the consequences of getting things wrong can be severe).

In light of an expected increase in employee grievances, particularly as a result of the Covid-19 crisis, it is fair to expect a significant increase in the number of SARs, requiring businesses to devote considerable time and energy to their response. It is important that in responding to those SARs, you are able to balance your obligations to comply with individual’s rights under the data protection legislation against a desire to protect your information and the personal data of third parties.

We have a three-stage approach to assistance with SARs to enable us to support you from the time that you receive the request until the point that the requested personal data is sent to the requester. We can offer you a fixed price for assistance with your SAR response.

How it works

We provide SAR Support in three stages:

Stage 1: initial advice

When a SAR is initially received, it is important that an organisation is able to determine what would amount to a ‘reasonable’ search for personal data bearing in mind the scope of the request.

Often, that requires an organisation to clarify the scope of the search, liaising with the requester to determine where it will search for personal data and over what time period.

In particularly complex cases, an organisation may also wish to consider extending the deadline for its response by up to further two months, in accordance with its rights under the legislation.

We have significant experience assisting our clients with clarifying the scope of its searches and liaising with the data subject to clarify the scope and extend the deadline. This stage would include:

  • a call with you to discuss and advise on the extent of the searches required, whether those searches can be refined and whether the deadline may be extended; and
  • drafting a letter to the requester clarifying the scope of the searches and extending the deadline (where relevant).

Stage 2: administration - reviewing the bundle

Often once the searches are undertaken, that personal data is received in a format that cannot be easily reviewed and redacted.

Documents must either be converted into a PDF format to allow for electronic redaction, or printed and redacted by hand – both of which can be extremely administration-heavy and time-consuming.

We provide a technical solution to this problem. We work with a third party provider to convert the data into a format ready for review.

Once converted, that data will be hosted on software which allows for review and redactions to take place directly into that software. Duplicate documents would also be removed at this point to narrow down the amount of documents that need to be reviewed in step 3.

Stage 3: document review

Once the bundle is prepared it is ready for review and redaction.

We have significant experience reviewing and redacting documents found as a result of a search for personal data on behalf of our clients. We would be looking for:

  • personal data which is outside the scope of the request
  • third party personal data
  • personal data subject to exemptions; and
  • information which is not personal data and therefore not disclosable.

We would also flag any documents or information which may be disclosable in response to a SAR but which may be a concern or commercial risk to our clients (those documents may be required to be disclosed to comply with legal obligations, although this enables our clients to be fully aware of the potential risks as a result).

We would undertake this review and redaction on the basis of a fixed fee, depending on the number of pages required to be reviewed.

Once the review is completed we would prepare a final bundle for disclosure.

Next steps

Would you like to find out more about how our SAR support product could help with the compliance needs of your organisation, or get a fixed price for assistance with a SAR? We would love to speak to you. Please contact one of our team using the details below or complete the form on this page and someone will be in touch to discuss this with you.

< Return to Back to Business hub