Richard Holmes

Richard Holmes

Head of Cyber Security Services

GDPR has obliged companies to formalise their approach to Subject Access Requests (SARs). They must reveal information they hold or are responsible for in their supply chain, about an individual, why they hold it, and who has access to it, in response to a SAR.

Organisations have one month to respond to a valid SAR.

Lots of organisations have received requests, and some have seen a significant increase in the numbers of SARs they are dealing with. They have tested their theoretical plans created as part of their GDPR preparations, against delivery practicalities and the engagement of stakeholders inside and outside the company.

Many are yet to develop a mature process for dealing with SARs. Without this, it’s hard work!

SARs – an irrelevance?

The SAR is not simply an add-on to the cyber security aspects of GDPR; to be thought of in terms of compliance and penalties. SARs, and the ‘right to be forgotten’ are key parts of the concept behind the Regulation. They are about the protection of personal information which most likely relates to your customers.

This means it’s about customer satisfaction - that your company manages information well and is a trustworthy supplier. It’s not a stretch of the imagination to think that those most likely to make a SAR are potentially the most visible in social and traditional media.

If you’ve estimated that you’ll only get few SARs, then building an ad hoc process that is time and effort intensive will lead to significant work if you’ve mis-estimated. Worse, if your SAR response is poor or inadequate, this leads to even more effort and time spent repeating the process.

Late in 2017, CGI UK commissioned and directed the Centre for Economics and Business Research (Cebr) and Opinium to conduct a survey and research around attitudes towards and preparedness for GDPR. Opinium surveyed 250 UK businesses with 29% of survey respondents drawn from companies with more than 2,499 employees and 72% from companies with more than 249 employees.

Respondents to this survey indicated a wide spread of ability to process SARs:

blog image 2

Be prepared

Over 85 percent of our survey respondents reported that they already have or will shortly implement a process that ensures that “data subjects can have electronic copies of the data the organisation holds on them in standard formats, on request.”

blog image

Respondents to the survey were typically working in a B2B industry rather than B2C and may have different expectations of the potential number of SARs.

Running a SAR process lets you assess how it matches your theory and can lead to the discovery of data that they had no business reason to hold, allowing the deletion of this data for all subjects, and less subsequent impact.

Your organisation could consider the following:

  • How to confirm the requestor’s ID. Can this be automated?
  • Where is the information held? Include structured and non-structured data, including things like video and Outlook contacts.
  • How to screen and redact the information provided? Avoid GDPR breaches caused by giving out too much information.
  • What guidance do you use? Revisit ISO27001 or BS10010 perhaps?
  • How to delete the records and provide proof.
  • Would your CRM system provide ready access to many of the records in question?

The ‘forget me nots’

Beware of basing SAR predictions on BAU. An ‘incident’ is likely to generate many more, just when you are least able to process them. It may not even be your incident, it could be a supplier or competitor; “They got breached, what if mysupplier got breached?”, “Company X has an IT issue and you may have the proof I need.” Even if you can handle a massively increased volume of SARs, will your compliance be affected by your supply chain’s inability to do so?

Many organisations also sometimes forget the right to be forgotten. A SAR could precede a request for data deletion. If your SAR process involves manual data discovery, then at least keep an audit trail in anticipation of having to delete it.

Record deletion is non-trivial, especially if the data is distributed. Personal information can also be on paper, cctv video, audio (call centre), and so on. Deletion isn’t just pressing a button. It’s the audited and recorded process that shows that data, in all formats, was appropriately deleted. That even includes allowing backups to cycle through their expiration period or be deleted.  Ensuring deletion of information stored in cloud based services can be even further complicated.

Automating SAR fulfilment:

The decision to automate SAR processing may have depended on your estimate of requests and whether you are primarily in B2B or B2C. It may also depend on whether your company considered the SAR as part of GDPR, and therefore cyber security. Fulfilling SARs and data deletion is equally a part of CRM. This may be a cost-effective way of delivering an automated system.

Improving the company’s CRM to provide a genuine ‘total customer view’ – all the information across all the systems – benefits the whole company. Automating SARs from a start point of already having templates of all the needed information is much easier. The additional work is to create online forms with identity checking, the removal of non-relevant information (company details?) from templates and a logging/ reporting system. The cost and effort are no longer strictly GDPR related.

An effective automation system refers requestors to a single accessible point on a website. Requests that are phoned in or sent in writing can be logged and managed more easily even in the event of a sudden increase after an incident. Effective automated identity checking can also prevent the SAR equivalent of a MDDOS attack, swamping you with requests from non-existent subjects.

... the take away

SARs and in particular the right to be forgotten can be the forgotten elements of GDPR. They directly affect your relationship with your customers. Although it’s easy to estimate the impact under BAU, you may well find that SARs hit you at the worst possible moment, making resolving an incident that much worse.

Preparing effectively, running some SARs, and remembering some key issues can make covering SARs significantly easier. And a CRM-style approach might make automating the delivery and eventual deletion of personal information more cost effective.

If you need any advice and guidance, CGI can help. We have a range of GDPR services centred around data discovery, advice and guidance and a wealth of hands-on experience. Contact us at to discuss your options.

About this author

Richard Holmes

Richard Holmes

Head of Cyber Security Services

Richard leads cyber security services for CGI in the UK. The group provides a balanced portfolio of services across a broad range of sectors from Defence and Intelligence, Energy and Utilities, as well as the commercial sector. Engagements include the design and delivery of major ...