Subject Access Requests (SAR) – Beware of the SAR Storm!

Oct 11, 2017 | Blog, GDPR | 0 comments

I have heard and spoken to a number of companies and organisations, and it seems that in many cases, they are happy to see how many Subject Access Requests they receive after the 25th May 2018 to decide how they want to deal with Subject Access Requests from data subjects.

For the uninitiated, any data subject in the EU can request any organisation to provide all the personal data that is held on them, which has to be delivered within 1 calendar month. If the request is done electronically, the reply must be in electronic format.

This may provide substantial difficulties where organisations have data stored on paper in vaults that are not indexed by an individual, or on microfiche, indexed perhaps by department, year and month, rather than by the individual. That means that if they haven’t started the rescanning of that information, on receipt of a Subject Access Request, they will be bringing back boxes of files and sorting through them manually, or the microfiche, and manually scanning them.

A good example is Restore, who say they can retrieve the boxes within the 30 day time frame. But you must bear in mind that the customer may not be able to sort through the 30+ boxes and scan and index them in the remaining time and if necessary perform redaction on the copies.

A Potentially expensive scenario

A customer has had particularly poor service from an organisation, and thus disgruntled, make a Subject Access Request for their data from that organisation on Friday the 1st June, at 16.00 hours. The data is held on paper in deep storage, and fortunately for the organisation, it is all contained in just 10 boxes. The organisation has designated one person in the organisation to be primarily responsible for Subject Access Requests (let’s call her Sarita, for simplicity sake) and Sarita reads the SAR request at 09.00 on Monday 4th June, checks the files and sees which boxes need to be retrieved. Sarita then orders the storage company to retrieve the files on Monday at 12.30. However, the storage company is overwhelmed by requests for box retrieval for rescanning by their other customers, so that request gets put in the queue, and they cannot retrieve and send the boxes before 3 working weeks have passed (this is not exaggeration – I have spoken to two scanning companies and this is likely).

The boxes return

The 10 boxes return on Tuesday 26th June at 10.00. In the interim, Sarita has been diligent and retrieved all the data from the organisation’s databases, their email stores and archives, their instant messaging stores, their shared drives where the PDFs are kept, the personnel files (just in case the requestor was an employee) and is just waiting for the scanning, so feels confident about meeting the deadline.

Down to the scanning department

There are now less than 4 working days left to scan the boxes, which each contain 40 files, of varying paper formats, so the designated SAR employee sends them down to the scanning office with an urgent request for scanning and indexing. But the scanning office has a backlog of work from business as usual, and puts the boxes to one side, and only starts scanning on Thursday 28th June at 10.00. The indexing is considered too time-consuming for such varied format files, so they OCR (Optical Character Recognition) the files without any indexing, and store the results on a shared drive at 18.00, and email Sarita that the files are ready.

Now the OCR means that the files can be word searched, so that is an advantage to finding the relevant records, but on Friday 29th June, Sarita is sick, so she emails the details from her sickbed to her nominated backup SAR person, Sarman. But Sarman is new to the job, and starts searching in the 400 scanned files for the data subject’s name immediately, but hasn’t finished by 17.30, and goes home.

Social media repercussions

On Monday 2nd July, the data subject has received no information on the Subject Access Request, so the data subject tweets to their 250 followers that yet again, the organisation has screwed up, and suggests they should submit their own Subject Access Request. 20% of their followers retweet to their 250 followers that the organisation has failed to deliver – again.

Now that means that 2,550 people have become aware of the organisation’s failure to deliver within 1 calendar month. You can imagine that it could be a possible twitter tsunami creating a SAR storm, depending on how hated the organisation is. Simply put, a PR disaster.

The SAR storm starts

Let’s assume just 10% of those people are so incensed that they then submit a SAR to the organisation. You can see that Sarita and Sarman are not going to be able to deliver the information to all those people in time. A lot of those disgruntled people will be complaining to the ICO, which means an investigation and fines are likely to be forthcoming, plus the loss of trust in the organisation, and possibly the loss of business which on its own account may be a huge loss.

But isn’t this vindictive?

It could be considered vindictive, but the organisation would have to prove to the ICO that this was a vindictive action by all those 255 people and the Subject Access Requests were not justified, and even then, the original failure to deliver would still be clearly a failure to deliver in the stipulated time frame.

What can you do to prevent the SAR Storm?

You should ensure that your SAR process can handle all the data you have in store. Scan paper stores or purge them as soon as possible. Surveys reveal that 85% of data in an organisation is either ‘dark data’ (of unknown business value) or Redundant, Obsolete or Trivial (ROT). Bigger companies are staffing up for a SAR storm, scanning or destroying documents in storage, ensuring that the SAR process is in place and has been built with escalation procedures to handle high volumes of requests. They are also monitoring Twitter assiduously so that any bad messages about their organisation can be intercepted early, and they have allocated people to nip those in the bud, and make the unhappy people happy again and less likely to generate a Twitter tsunami.

So what do you think you should you be doing?


Join us for our rountable events to learn more about our approach to assessing GDPR compliance and how we can help your organisation adopt Microsoft Cloud Security Technologies successfully, in time for GDPR enforcement next May.


About our author

Lawrie Siteman

Director | GDPR Specialists

Lawrie Siteman is a director of GDPR Specialists Ltd, a company of independently certified GDPR experts, with resources available to assist organisations prepare for the Regulation. GDPR Specialists offer packages of templates to simplify the processes and procedures needed to speed the route to compliance, will brief and train staff, deliver penetration testing, and be an outsourced Data Protection Officer. GDPR Specialists have also reviewed and can advise on suitability of many software tools available for a variety of databases and unstructured data, and consent management. Lawrie can be contacted through Content and Code or directly on 020 3896 3896.


Submit a Comment

Your email address will not be published. Required fields are marked *


Our Microsoft MVPs in the Spotlight

We’re incredibly proud at Content and Code to have such a wide-ranging skill set amongst both our technical and operational staff. But following the arrival of our third Microsoft MVP, Vardhaman Deshpande, who has been recognised for his tireless efforts and thought...

read more

Should you fear the rise of Shadow IT?

Shadow IT, sounds pretty harmless right? But in reality, it can pose quite a few risks to your organisation if ignored and left unmanaged. What is Shadow IT? The term Shadow IT applies to hardware or software which is used within a business without the authorisation,...

read more