Six ways to reduce a SAR workload

Responding to a subject access request can be time, energy and resource consuming. We have six ways to help ease the burden

Author details

Lisa Griffin is content lead at Optimus Education, focusing on leadership and governance. 

A subject access request (SAR) allows individuals to access their personal data held by an organisation. The law does not require the requester to limit the scope of their request, so it is perfectly acceptable to ask for a large amount of information.

An ex-staff member for example, who had been at the school for many years, may request to see their personal data. This could involve tens of thousands of emails, documents and intranet messages. As a DPO, do you have the resources to deal with large SARs? Do you need to take time and resources to train other staff members to help manage one?

The bigger the SAR the more time it takes to deal with and the more it costs. Therefore, the first piece of advice is….

1. Minimise the amount of data you keep

If you don’t need it, then don’t keep it. If you’re not using it, then don’t keep it. 

One of the biggest data drains will be the number of emails stored on your school system. How long do you keep emails for? Do you have a retention process or policy? Many emails will not need to be kept more than one to two years. Think about how many emails you send that are simply meeting confirmations or changes; they don’t need to be kept.

If an email is deemed important enough to keep it should be filed and stored appropriately, centrally, not kept in one email inbox with limited access. An email inbox is not a filing system. Backups should also be deleted to help minimise the amount of data you will need to deal with should a SAR arrive.

You may want to set storage limits on inboxes to make it every individuals responsibility to only keep necessary emails. When close to the limit, staff will receive a message warning them they are running out of space. This should give them a timely reminder to delete what is no longer needed.

Once this limit is reached, emails cannot be sent or received. Remind them that important emails should be stored in the secure shared storage system.

Remember, the less data you keep, the less information you will need to go through if and when you receive a SAR.

2. Create a culture of compliance

Staff need to be reminded often that it is their individual responsibility to be data compliant. How do you know staff know what they know? How do you evidence staff training and, more importantly, learning?
The ICO recommend more active learning for staff data protection training, for example using knowledge-based testing of GDPR to ensure staff awareness of their responsibilities.

You need to be able to evidence compliance and evidence training so will need to provide opportunities for staff to show what they have learnt. You can use quizzes or Q&A sessions for example.

They key is keeping data protection and compliance at the front of staff minds with interactive, ongoing, consistent training. Regular light bite training sessions are more useful than a one-off longer session every six months.

3. Talk to the ICO

Make use of the free help the ICO offer. The ICO are available to talk through any queries you have relating to a SAR you receive.

They can offer help and advice, so it is always worth getting in touch with them if you receive a SAR and want to double check that you are handling it correctly. It may save a lot of time and trouble further down the line too.

4. Get organised

What is your process for communicating with an individual when you receive a SAR? It is good practice to send an initial email back confirming receipt and letting the individual know that the request will be investigated ASAP. You may decide this is within 24 or 48 hours for example as this will just be the initial search of systems.

You have one calendar month to complete the request and this can be extended by a further two months if the request is simply not achievable, for example due to the amount of data involved or staff resource it will take.

Determine your need for an extension as soon as possible and let the requester know. Just because you have one month to respond doesn’t mean you should take most of that time. It isn’t against the law but it doesn’t look very organised or helpful if you inform the requester on day 28 that you need an extension.

5. Be transparent

From the outset it is advisable that you keep lines of communication open with the requester. Be helpful, cooperative and transparent in your handling of the request. Touch base with the individual to let them know you’re dealing with it and will be in touch if any problems.

If you decide the request is simply not achievable due to the amount of resource involved, even with an extension, try and talk to the individual to drill down exactly what it is they are looking for. Be helpful and tell them you want to get them the data they’ve asked for as quickly as possible and it may be easier to narrow it down.

If you can focus the search and get them some initial data you may find that is enough for the time being. Do remember though that you cannot demand the scope be narrowed and they can refuse.

6. Know when you can say no

There are some instances where you can refuse a SAR. These are if the request is:

  • manifestly unfounded
  • manifestly excessive.

Manifestly unfounded may include a request based on malice or an intent to cause disruption.
Manifestly excessive may include an individual making numerous, ongoing requests or asking for duplicated content.

If you believe a request to be manifestly unfounded or excessive, talk to the ICO or refer to the ICO website for help.

Think before you write it, think before you keep it

Having processes for data minimisation and protection and ensuring staff follow them is key to making SAR management easier. Do you really need to send that email? And, perhaps more importantly, do you really need to keep it?

Building a compliance culture and mindset among staff helps always keep it on their minds. Follow this advice and your SAR-related headache will hopefully ease.

 

With thanks to Dai Durbridge, partner at Browne Jacobson LLP.

Last Updated: 
08 Jun 2022