The Scenario
You are the DPO or compliance lead at a UK business with significant customer data — a retailer, a services firm, a SaaS company, a recruitment business, a healthcare provider. A subject access request arrives in your inbox: a former customer or candidate wants a copy of all the personal data you hold about them. You have a calendar month to respond.
Customer data lives in nine places. The CRM. The marketing platform. The support tool. The accounting system. The website backend. The legacy database that predates the current CRM. The shared drive with old contracts. The recruitment platform. The call recording system. You begin the search.
The Problem
The specific frustration is the database you almost forget. You have searched eight systems methodically. The pack is nearly ready. Then it occurs to you that you should also check the call recording archive, and there are two recordings of the subject from eighteen months ago. The pack has to be revised. You wonder, briefly, what else might be in a system you have not thought of. The honest answer is that you cannot be certain you have found everything, because the data inventory of the business is in your head rather than in a system.
The cost is real on multiple dimensions. Each subject access request consumes one to three days of senior compliance or operations time at the volume most businesses see. Under UK GDPR the response window is one month, extendable by two for complex requests; missing the deadline triggers ICO exposure. The risk is harder than the time: a request that is answered incompletely is a worse outcome than one that is answered late, and there is no way to know with confidence that your search has been complete when the data inventory is informal. As request volume grows — and it is growing — the manual approach starts to fail.
The Approach
A DSAR (data subject access request) system replaces the manual search with a structured workflow that knows where personal data lives in the business. The system holds the data inventory: every system, every personal data field, every retention rule, and the access mechanism for searching each system. When a request arrives, the system creates a structured case, fires searches against each relevant data store through API integrations, aggregates the results, and presents the candidate response pack for review.
The reviewer — DPO, compliance lead, or delegated handler — sees the data found in each system, redacts what needs to be redacted, decides on any exemptions, and approves the response pack. The system tracks the case timeline against the GDPR deadline, escalates if action is required, and produces the final pack in a defensible, audit-logged form. Erasure requests (right to be forgotten), rectification requests, and restriction requests follow the same pattern with the appropriate workflow variations. The whole layer sits on the audit and compliance services infrastructure so the handling of each request is itself audit-evidenced.
The Outcome
A request that used to take three days of manual searching now takes a few hours of review. The system performs the search; the DPO performs the judgement. The “have I missed a system” anxiety drops because the data inventory is now a defined object that gets reviewed and updated explicitly rather than relying on the DPO’s memory. When the next request arrives, the search runs against the same inventory rather than being reconstructed from scratch.
The compliance posture sharpens beyond just the time saving. You can answer the ICO question — how do you handle DSARs — by showing the workflow, the inventory, and the audit log of every prior request. You can demonstrate consistency across requests, because the same search is being run each time. When volumes rise — a security incident triggers fifty requests in a week, or a marketing campaign brings request volume up — the system handles the throughput without overwhelming the compliance team. And the broader data governance improves, because maintaining the inventory becomes a regular activity rather than something nobody quite owns.
Who This Applies To
DPOs, compliance leaders, and heads of legal at UK businesses with significant volumes of personal data — typically retailers, e-commerce, SaaS, recruitment firms, healthcare providers, financial services, and consumer services. Most relevant for businesses receiving more than two or three DSARs a month and for any business in a sector where DSAR volume is rising. Also relevant for firms preparing for ICO audit or pursuing ISO 27701.
Sound Familiar?
If your DSAR process depends on the DPO remembering every system that holds personal data, the inventory needs to live in a system rather than in a head. We build DSAR handling systems that search across your data estate, package the response, and audit every step. Let us walk through what yours would look like.