SARs from Panic to Process — The repeatable triage system

Written By Vera Ishani

Clear your SAR backlog with a calm, 7‑step system you can stand up this week.

SARs pile up when teams firefight case‑by‑case; they clear when you run a simple system.

Subject access requests (SARs) don’t have to sink your team. Under UK GDPR you must reply within one month. You can extend by up to two further months if the request is complex or there are multiple requests from the same person. The timeline normally starts when you receive the request—or once you’ve got any identity information you reasonably need. If the request is unclear, you can ask for clarification; the clock can pause while you await clarity about the information being requested. You generally cannot charge a fee, except where a request is manifestly unfounded or excessive or for additional copies. Make reasonable efforts to find the data and be able to explain what you searched, where, and why.

At a glance

The 7 steps in 30 seconds: Map → Acknowledge → Prioritise → Standardise search → Redact with rules → Communicate timelines → Close & learn.

A 7-step SAR triage that brings order fast

1) Map the backlog

One tracker (sheet or ticket board) with: received date, due date (and extended date if used), requester, scope, ID status, systems/custodians, risks (child/employee/litigation/regulator), status, owner. Colour-code by due date. Add a “stop-the-clock” column for ID/clarification pauses. Output: a live risk view in 10 minutes.

2) Pause the panic (and set expectations)

Same-day acknowledgement template:

Thanks for your request dated [date]. We’ll respond by [due date]. If we need anything to confirm your identity or to clarify the information you’re seeking, we’ll let you know and timeframes will adjust accordingly.

If the request is very broad, send a short scope clarification:

To help us locate the information you need, could you confirm which services, dates, or keywords we should focus on? We will begin work on the information already clear and update you on progress.

Log what you asked and when you asked it.

3) Prioritise by risk (not noise)

Top priority: children/young people; employee HR/disciplinary; matters connected to litigation or regulatory scrutiny. Timebox high-risk reviews (e.g., daily 30-min stand-up on these cases). Park low-risk duplicates until you’ve stabilised deadlines.

4) Standardise the search (save hours)

Pre-agree the systems list (email, HRIS, CRM, chat, ticketing, file shares, device images if justified). Name custodians for each system; give them a 5-line brief: date range, requester identifiers, keywords, exclusions. Use consistent keywords and date windows; record them in the tracker to show reasonable efforts later.

5) Redact with rules (make it defensible)

Simple redaction matrix: Third-party personal data (remove/anonymise unless reasonable to disclose); legally privileged or investigation notes (consider exemptions; record basis); special category/criminal offence data (double-check lawful disclosure). Do a second-pair review on sensitive bundles (4-eyes principle).

6) Communicate timelines (and use extensions lawfully)

If you need an extension (complexity or multiple requests from the same person), notify within the first month: We’re processing your request and expect to provide our response by [new date], due to [brief reason: volume/complexity/parallel requests]. Keep all date moves auditable in your tracker.

7) Close the loop (quality + learning)

QA checklist for the final pack: ID verified (if needed) and clock noted; scope matched and searches logged; redactions checked against matrix; cover letter in plain English (how to ask questions/challenge). Update the tracker with effort notes (hours, systems), redaction basis, and any process improvements spotted.

Don’t normalise backlog firefighting. Design it out with a repeatable triage + templates.

Three quick templates (copy, paste, personalise)

A. Acknowledgement (same day)

Subject: We’ve received your request
Thank you for your request dated [date]. We’ll respond by [due date]. If we need more information to confirm your identity or to clarify the information you’re seeking, we’ll contact you and adjust timelines accordingly. If you prefer a narrower scope (e.g., specific dates, systems, or keywords), tell us and we’ll prioritise that first.

B. Scope clarification (when broad/unclear)

To help us locate the information that matters most to you, could you confirm any of the following:
• date range(s) • system(s)/service(s) • keywords • names/teams involved.
We’ve started work on the parts already clear and will update you on progress.

C. Extension notice (use only when justified)

We are processing your request. Due to [complexity/volume/parallel requests], we are extending our response period as permitted by data protection law. We will provide our response by [new date]. If this causes any difficulty, please let us know.

What not to do (real-world caution)

Unmonitored inboxes and missing acknowledgements are reputational landmines. Don’t let requests sit unseen. Make sure someone owns the inbox daily and has a same-day acknowledgement template ready.

The SAR evidence pack — what to keep for each case

• The request and all correspondence (dates visible)
• ID check notes (if sought) and any clock adjustments
• Search plan (systems, custodians, dates, keywords)
• Redaction matrix applied + exemptions relied upon
• Final response letter + inventory of files released

Metrics that actually help (not theatre)

• On-time rate (within 1 month / within extended period)
• Average time to acknowledge (target: same day)
• Cases paused for ID/clarification (and average pause length)
• Quality escapes (post-send corrections)
• Complaints per 100 SARs and median time-to-redress
Publish one-line definitions so teams know how to win safely.

30 / 60 / 90-day plan

Next 30 days

Stand up the tracker, send acknowledgements on all open cases, agree the systems/custodian list, and adopt the redaction matrix.

Next 60 days

Template your three key letters, run one practice SAR end-to-end, and add a second-pair review on sensitive bundles.

Next 90 days

Create your evidence-pack folder structure, review metrics with the team, and update the playbook based on what slowed you down.

Need a safe pair of hands?

We can stand‑up your SAR triage in days—tracker, templates, training, and QA—sized to your stack.

#GDPR #DataProtection #Privacy #DPO #SubjectAccessRequest #SAR #Governance #Compliance #UKBusiness

Vera Ishani
Next

Building Trust in an Age of Algorithms (2025–26)