The Evolution of SARs

It’s funny how you remember the first Subject Access Request you ever worked on. It’s like a rite of passage that leaves an indelible mark.

The first SAR in question was the first in a spate of inbound SARs back in 2007 when the Outsourced DPO was the outsourced DPO at one of the UK’s leading Premier League Football Clubs.  It was a painstaking process and mostly manually, marking up by hand-printed documents using Tipp-ex pens and keeping track of everything we did to each document in an Excel log sheet.  Myself and my most excellent colleague Joe Colleran burning the midnight oil in the Sponsors Lounge at Goodison Park.  Wow, how things have changed since then.

It’s a far cry from the way we operate the SAR Bureau at DPP.  In the Bureau, we have a team of 20 skilled reviewers using top-end enterprise-grade forensic e-discovery tools that crunch through millions of lines of information hunting for search terms and analysing patterns in the text to exponentially speed up the document review process compared to manual “eyeballing”.  Another major gain of the system is a huge improvement in deduplicating the document set.  The old method relied on Joe having a vague recollection of previously having seen something similar and using the Excel log to locate it in the bundle.  Finding duplicates in the Bureau is an automatic part of the document ingestion process often cutting down volume by half.  That in itself is a massive win, but the fact that a computer says three documents are exact matches is actually far more reliable and trusted than a human reaching the same conclusion.  These tools allow the team to bash through hundreds of thousands of pages of information in a matter of days.

The entire process is better managed than a decade ago with the Excel-based log replaced by an audit trail of every activity undertaken by each reviewer on the platform, and the document set to review being split into batches and assigned to reviewers.  But the process cannot totally rely on computers yet. Human interaction is needed to determine what is personal data and whether it relates to the requestor or to someone else.  Not only that but whether personal data in question is subject to an exemption or restriction.  Their skill is critical in properly considering the document set, and the fact they do this day in day out through choice arguably means that they are more likely to be quicker and more accurate than a team spun up to handle a SAR when they occur as a one-off which is what we had to do back in the day.

The modern platforms also make it easy for us to control the quality and consistency of the output too.  Reviewers can flag information for “second opinion” and DPP’s subject matter experts can log in to take a look at something particularly tricky or contentious.  Every page of every document is forced through a quality assurance review process where a team of 5 QAers review the work of the initial reviewers, and once the final bundle of documents is rendered for release to the requestor, it goes through another final check.

It’s amazing to think of the progress made since those early SARs.

Philip Brining – Director – Data Protection People