The Evolution of SARs

By Myles Dacres

It’s funny how you remember the first Subject Access Request you ever worked on.  It’s like a rite of passage that leaves an indelible mark.  The first SAR in question was the first in a spate of inbound SARs back in 2007 when the Outsourced DPO was the outsourced DPO at one of the UK’s leading Premier League Football Clubs.  It was a painstaking process and mostly manually, marking up by hand-printed documents using Tipp-ex pens and keeping track of everything we did to each document in an Excel log sheet.  Myself and my most excellent colleague Joe Colleran burning the midnight oil in the Sponsors Lounge at Goodison Park.  Wow, how things have changed since then.

It’s a far cry from the way we operate the SAR Bureau at DPP.  In the Bureau, we have a team of 20 skilled reviewers using top-end enterprise-grade forensic e-discovery tools that crunch through millions of lines of information hunting for search terms and analysing patterns in the text to exponentially speed up the document review process compared to manual “eyeballing”.  Another major gain of the system is a huge improvement in deduplicating the document set.  The old method relied on Joe having a vague recollection of previously having seen something similar and using the Excel log to locate it in the bundle.  Finding duplicates in the Bureau is an automatic part of the document ingestion process often cutting down volume by half.  That in itself is a massive win, but the fact that a computer says three documents are exact matches is actually far more reliable and trusted than a human reaching the same conclusion.  These tools allow the team to bash through hundreds of thousands of pages of information in a matter of days.

The entire process is better managed than a decade ago with the Excel-based log replaced by an audit trail of every activity undertaken by each reviewer on the platform, and the document set to review being split into batches and assigned to reviewers.  But the process cannot totally rely on computers yet. Human interaction is needed to determine what is personal data and whether it relates to the requestor or to someone else.  Not only that but whether personal data in question is subject to an exemption or restriction.  Their skill is critical in properly considering the document set, and the fact they do this day in day out through choice arguably means that they are more likely to be quicker and more accurate than a team spun up to handle a SAR when they occur as a one-off which is what we had to do back in the day.

The modern platforms also make it easy for us to control the quality and consistency of the output too.  Reviewers can flag information for “second opinion” and DPP’s subject matter experts can log in to take a look at something particularly tricky or contentious.  Every page of every document is forced through a quality assurance review process where a team of 5 QAers review the work of the initial reviewers, and once the final bundle of documents is rendered for release to the requestor, it goes through another final check.

It’s amazing to think of the progress made since those early SARs.

Philip Brining – Director – Data Protection People 

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021