Subject Access Requests (SARs) sit at the heart of the UK’s data protection framework. Under the UK GDPR and the Data Protection Act 2018, individuals have the right to know whether an organisation is processing their personal data, to access that data, and to understand how and why it is being used. This transparency is fundamental. It empowers people to challenge inaccuracies, to understand decisions made about them, and to hold organisations accountable for lawful and fair data handling.
But what does good SAR compliance actually look like in practice? And can organisations really rely on automation alone to meet their obligations? As data volumes increase and systems become more complex, many organisations are rethinking how they handle Subject Access Requests. While efficiency matters, accuracy, judgement, and accountability matter more.
UNDERSTANDING SUBJECT ACCESS REQUESTS
SUBJECT ACCESS REQUESTS ARE NOT SIMPLE
Given the volume and complexity of modern data systems, many organisations are considering automated solutions to manage Subject Access Requests. Automation can help with efficiency, such as locating data across large systems. However, relying on automation alone carries real risks.
A SAR is rarely a simple retrieval exercise. It requires careful judgement. Organisations must decide what information constitutes “personal data”, and assess whether disclosures would infringe the rights of others. They must identify legally privileged material and determine when exemptions apply. The ICO’s guidance on Subject Access Requests makes clear that these decisions are rarely black and white. They depend heavily on context, nuance, and a clear understanding of the individual circumstances behind the data.
Is a subject access request just a technical task?
So, is a Subject Access Request just a technical task? Or is it a legal and ethical exercise that demands expertise? In most cases, it is both.
Automation and SAR compliance
Can Automation Make Legal Judgements?
Automated tools are not yet capable of consistently making legally sensitive distinctions. While technology can search, extract, and categorise data at scale, it cannot reliably interpret legal concepts. It cannot assess proportionality. It cannot understand intent, tone, or risk.
Errors in SAR handling can take two forms. Under-disclosure may deny individuals their rights under the UK GDPR. Over-disclosure may expose confidential, sensitive, or legally protected information. Both outcomes can have serious consequences. They can result in complaints to the Information Commissioner’s Office (ICO), they can damage trust, and in some cases, they can cause real harm to individuals.
Who is responsible when automation fails?
Who is responsible when an automated system gets it wrong? Under data protection law, accountability always rests with the organisation. Automation does not remove that responsibility.
The role of human oversight
why human oversight still matters
Expert human oversight ensures that SAR responses are lawful, complete, and appropriately balanced. It safeguards the rights of the requester while also protecting the rights of third parties. This oversight is particularly important where data is sensitive or complex, such as in employment SARs, healthcare records requests, or public sector disclosures.
As technology develops, the most effective approach is increasingly a hybrid one. Automation can support repetitive, large-scale data retrieval tasks. However, qualified professionals must retain responsibility for the careful judgements that sit at the core of SAR compliance. This is especially true in sectors such as healthcare, employment, education, and public services.
subject access requests are about people
Why does this matter so much? Because Subject Access Requests are not just about data. They are about people. They are about transparency, fairness, and trust.
Experience, Judgement, and Nuance
WHY EXPERTISE CANNOT BE AUTOMATED
Technology can do many things well. It can process large volumes of information quickly. It can reduce administrative burden. But it cannot bring experience. It cannot bring wisdom. It cannot replicate nuanced thought processes or careful consideration.
SAR compliance often requires understanding why data exists, how it is used, and what impact disclosure may have. These are not purely technical questions. As recognised in ICO guidance on exemptions and third-party data, they require human judgement and accountability.
IMPORTANCE OF THE RIGHT EXPERTISE
Human oversight matters, but it is not just any human oversight that counts. It must be the right human, with the right skills, experience, and understanding of data protection law. Without that expertise, even well-intentioned SAR processes can fail.
what effective sar compliance looks like
How Do Organisations Achieve This in Practice?
So, can organisations afford to rely on automation alone for Subject Access Requests? And can they afford the risks that come with it?
SAR compliance remains a cornerstone of the UK GDPR. As volumes increase and expectations rise, organisations must ensure their approach is robust, defensible, and focused on the rights of the individual. Expert oversight provides that assurance. It ensures decisions are made carefully, documented properly, and capable of withstanding scrutiny.
Technology should support SAR compliance, not replace it. The most effective organisations understand this balance, investing in tools where appropriate, but retaining expert oversight where it matters most.
How DPAS Can Help With this
Expert-Led Subject Access Request Support
For organisations facing increasing volumes of Subject Access Requests, expert support can make a critical difference. While technology can assist with repetitive, large-scale data retrieval tasks, it cannot replace the experience, judgement, and nuanced thought processes required for lawful SAR compliance.
DPAS provides expert-led SAR support designed to ensure responses are timely, lawful, and defensible. Our specialists apply careful consideration to complex issues such as exemptions, third-party data, and legally privileged material. By combining appropriate technology with the right human oversight, DPAS helps organisations meet their UK GDPR obligations, safeguard individual rights, and reduce regulatory risk.
If you need SAR support, get in touch at info@dataprivacyadvisory.com or book a meeting with one of our Subject Access Request Officers.
