You’re handling a SAR and investigating the information requested by the data subject when you come across something more serious: a data breach.

In this article, we’ll discuss how SARs and data breaches interlink, which scenarios they might overlap, and what to do if this happens. 

How SARs and Data Breaches Overlap

A Subject Access Request is a right under GDPR that allows individuals to request their personal data from organisations. A data breach, on the other hand, is an incident that compromises the confidentiality, integrity or availability of personal data. 

SARs can reveal data breaches in two main ways:

• The SARs response reveals unauthorised disclosure or access. 
• The organisation fails to handle a SAR properly.

Common Scenarios Where SARs & Data Breaches Overlap

1. 1. Inadequate redaction of third-party data. This is a common and high-risk type of breach in which the organisation fails to properly redact or remove personal information from its records. This leads to the individual requesting their data receiving sensitive information about others, causing a breach.
   2. Failure to secure personal files. In the process of gathering data for a SAR, a company might discover that data from years earlier had been lost, but had never been reported. The SAR has revealed a data breach, forcing the company to confront the possibility that personal data may have been compromised. 
   3. Unauthorised access to emails. While investigating data for a SAR, a company might discover that an employee had previously fallen for a phishing attack, which compromised their email. The attacker could have stolen money, data or more.

Steps to Take If a Breach Is Discovered

If you’re investigating information and discover a breach, then there are a few steps you should immediately take. 

1. Pause and assess: Don’t ignore the issue. Document everything.
2. Contain the issue: Can the breach be stopped or mitigated?
3. Conduct a quick impact assessment: Who is affected and how?
4. Report internally to your DPO or data protection lead.

Ideally, keep SAR handling and breach investigations separate but coordinated. For more in-depth information, our guide “What Should You Do After a Data Breach? A Guide for Businesses” will touch on the steps you need to take in the event of a data breach. 

Legal and Regulatory Considerations

Reporting to the ICO

You should report a data breach to the ICO within 72 hours of becoming aware of it. Not all breaches are reportable – if you’re not sure, the ICO has a self-assessment tool to help you determine whether your organisation needs to report the breach. 

Informing the Data Subject

Similarly, if the data breach is likely to result in a high risk of adversely affecting their rights and freedoms, you should also inform the data subject and the ICO. 

Should You Pause the SAR Response?

Generally, you don’t need to pause the SAR response, but if the case is complex, you may be eligible for an extension.

Best Practices to Avoid Data Breaches & Handle SARs

A combination of strong technical security measures, staff training, clear policies and proper planning will put you in the best position for avoiding data breaches and handling SARs. This includes:

• Data mapping and minimisation: Know what data you hold and why.
• SAR simulation exercises: Test how your team would handle one.
• Improve data hygiene: Routine audits and retention reviews.
• Training: Ensure staff know how to spot and escalate issues.

Get SAR Support With Data Protection People

SARs can give you insights into your data ecosystem that you might never have discovered otherwise, and that includes data breaches. 

If SARs feel overwhelming – we can help. Whether you’re looking for someone to redact sensitive information or handle the SAR from start to finish, we offer the whole suite of SAR handling services. Talk to our data protection experts today.