Truvara is in Beta.
truvara
Back to ResourcesPlaybooks
7 min read

GDPR Subject Access Request (SAR) Response Playbook

Version: 1.0 | Owner: Data Protection Officer | Review Cycle: Annual

Lead

This playbook provides a step-by-step process for responding to GDPR Subject Access Requests (SARs) within the statutory 30‑day timeframe. It is designed for privacy teams, data stewards, and departmental leads who receive SARs. Trigger this playbook immediately upon receipt of a valid SAR to ensure compliance, mitigate risk, and uphold data subject rights.

Prerequisites

  • Data inventory and mapping completed for all personal data systems
  • SAR intake procedure established (email, web form, or verbal request logged)
  • Identity verification protocol defined and approved
  • Redaction guidelines for third‑party data and exemptions documented
  • Secure delivery channel for response (encrypted email, portal, or physical)
  • Record‑keeping log for SARs (to track requests, actions, and outcomes)
  • Escalation matrix for complex requests (legal, DPO, senior management)

Phase 1: Intake and Validation (Days 1‑2)

Action: Log the SAR and verify the requester's identity.
Rationale: GDPR requires confirmation of identity before disclosing personal data to prevent unauthorized access.

1.1. Record SAR details: date received, requester name, contact method, specific data requested (if any), and assigned reference number.
1.2. Initiate identity verification using approved protocol (e.g., government‑issued ID, knowledge‑based authentication, or existing account credentials).
1.3. If identity cannot be verified within 2 days, request additional information and pause the clock (document the request).
1.4. Once verified, send acknowledgment receipt stating verification status and estimated response date (within 30 days of original request).

Decision Point: Is the request manifestly unfounded or excessive?

  • Yes (e.g., repetitive requests, clearly intended to harass): Notify legal, consider charging a reasonable fee or refusing to act. Document justification.
  • No: Proceed to data gathering.

Phase 2: Data Gathering and Mapping (Days 3‑10)

Action: Identify, locate, and extract all personal data relating to the requester.
Rationale: A thorough search across all systems ensures completeness and avoids missing data that could lead to non‑compliance.

2.1. Consult data inventory to list systems, databases, and files likely to contain the requester's personal data.
2.2. Notify relevant system owners/departments (HR, IT, marketing, sales) with search parameters (name, identifiers, date range).
2.3. Use automated search tools where available; otherwise, conduct manual searches using requester's identifiers.
2.4. Collect all matches, including structured data (database rows) and unstructured data (emails, documents, call recordings).
2.5. Compile preliminary data set and note any difficulties accessing certain systems (flag for escalation).

Decision Point: Is the data volume manageable for review within remaining time?

  • No (e.g., thousands of records): Engage legal to assess if request is excessive. Consider negotiating scope or applying exemptions.
  • Yes: Proceed to review.

Phase 3: Review and Redaction (Days 11‑20)

Action: Examine collected data, apply exemptions, and redact third‑party information.
Rationale: GDPR allows refusals or redactions to protect others' rights, trade secrets, or legal privileges.

3.1. Review each data item for relevance to the request (if requester specified particular data, limit to that scope).
3.2. Apply GDPR exemptions (e.g., legal‑advice privilege, ongoing legal proceedings, regulatory functions) where appropriate.
3.3. Redact any personal data belonging to third parties unless they have consented to disclosure or it is reasonable to disclose without consent.
3.4. Document all redactions and exemptions applied, citing the specific GDPR article or recusal.
3.5. Produce a clean, redacted dataset in a commonly used format (PDF, CSV, or plain text).

Decision Point: Are there conflicting legal obligations (e.g., data must be retained for legal proceedings)?

  • Yes: Consult legal counsel before redacting or withholding data. Document legal basis.
  • No: Finalize redacted dataset.

Phase 4: Delivery and Documentation (Days 21‑28)

Action: Securely deliver the response and update records.
Rationale: Secure delivery protects the data subject's privacy; proper documentation demonstrates compliance.

4.1. Encrypt the response package using approved method (PGP, S/MIME, or portal with 2FA).
4.2. Deliver via confirmed secure channel; obtain receipt or acknowledgment of delivery.
4.3. Provide the requester with: copy of personal data, purposes of processing, categories of data shared, recipients or categories of recipients, retention period, and their rights (rectification, erasure, objection).
4.4. Log all actions taken: verification steps, data sources searched, exemptions applied, delivery method, and date.
4.5. Notify DPO of completion for oversight.

Decision Point: Did the requester respond with questions or complaints?

  • Yes: Route to privacy team for clarification; if unresolved, escalate to DPO.
  • No: Consider the SAR complete after delivery.

Phase 5: Post‑Completion and Review (Days 29‑30)

Action: Finalize records and identify improvement opportunities.
Rationale: Continuous improvement reduces future SAR handling time and enhances compliance posture.

5.1. Archive SAR case file (request, verification logs, data search records, redaction justification, delivery proof) for minimum 24 months.
5.2. Update SAR metrics log: time to verify, time to gather, time to review, total processing time, any extensions or fees.
5.3. Conduct brief retrospective: What bottlenecks occurred? Were any systems difficult to search? Update playbook or data inventory accordingly.
5.4. If request was complex or set a precedent, brief senior management and privacy committee.

Escalation Path

  • Level 1 (Team Lead): Unclear scope, verification difficulties, or requests exceeding 1,000 records.
  • Level 2 (Data Protection Officer): Legal exemptions needed, third‑party data conflicts, or potential refusal/unfounded claim.
  • Level 3 (Legal Counsel): Court orders, regulatory investigations, or claims of manifestly unfounded/excessive requests requiring legal interpretation.
  • Level 4 (Senior Management): Reputational risk, complaints to supervisory authority, or resource allocation for excessive requests.

Post‑Completion Checklist

  • Identity verified and documented
  • Search conducted across all relevant systems per data inventory
  • All personal data located and extracted
  • Exemptions and third‑party redactions applied and justified
  • Response delivered via secure channel with receipt
  • Requester informed of their rights and complaint process
  • Complete case file archived for 24 months
  • SAR metrics updated and retrospective notes recorded
  • DPO notified of completion
  • Data Inventory Maintenance Playbook (ID: 5) – For keeping data maps current
  • Privacy Impact Assessment Template (ID: 12) – To assess risks of new processing that may affect SAR volume
  • Data Breach Response Playbook (ID: 8) – If SAR reveals improper data handling
  • Records Retention Schedule (ID: 3) – For determining lawful retention periods to include in SAR response

Key Takeaways

  • Start the clock immediately – Log the request, verify identity, and send an acknowledgment within the first two days.
  • Leverage your data inventory – A up‑to‑date map of where personal data lives is the single most valuable tool for meeting the 30‑day deadline.
  • Document every exemption – Cite the exact GDPR article for each redaction or refusal; this protects you during audits or regulator inquiries.
  • Secure delivery is non‑negotiable – Use encryption or a protected portal and retain proof of receipt.
  • Measure and improve – Capture verification, search, and review times; use the metrics to spot bottlenecks and refine the process.

Conclusion

A well‑executed GDPR SAR process protects individuals’ rights, reduces regulatory risk, and demonstrates your organization’s commitment to privacy. By following this playbook—intake, verification, data gathering, review, secure delivery, and post‑completion review—you’ll stay within the 30‑day statutory window, maintain clear audit trails, and continuously improve your response capability. Keep the checklist handy, update your data inventory regularly, and treat each request as an opportunity to showcase strong data‑governance practices.

Next Steps

  1. Distribute the playbook to all privacy‑team members and relevant department leads.
  2. Conduct a tabletop exercise within the next month to walk through each phase and identify any gaps.
  3. Integrate the SAR intake form with your ticketing system so the clock starts automatically.
  4. Schedule quarterly reviews of the data inventory and redaction guidelines to keep them current.
  5. Monitor metrics after each SAR and update the post‑completion checklist with any new lessons learned.

By turning these actions into routine practice, you’ll not only meet legal obligations but also build trust with customers and regulators alike.