How to Handle a Subject Access Request When Your Documents Are in a DMS

Subject access requests are one of the most practical tests of your document management system's compliance capability. Our document management GDPR compliance guide covers the full compliance framework. This article focuses specifically on handling SARs.

What a Subject Access Request Is

Under UK GDPR Article 15, any individual has the right to request copies of all personal data you hold about them. This is a Subject Access Request (SAR). You must respond within one calendar month of receiving it. There is no charge. You cannot refuse unless the request is manifestly unfounded or excessive.

The response must include: confirmation of whether you process their data, a copy of all personal data you hold, the purposes for which you process it, the categories of data, and information about retention periods and their rights.

Why SARs Are Hard Without a DMS

A SAR requires you to find all personal data relating to an individual across all your systems. In a typical business without a proper DMS:

• Documents in SharePoint or network folders — searchable but unstructured
• Email attachments — in multiple inboxes, not easily searched by subject
• Paper files — physically searched, no full-text capability
• CRM records — usually easy, separate system
• HR system — usually easy, separate system
• Accounting software — usually easy, separate system

The documents and emails are the problem. A thorough SAR response for a customer who has been dealing with a business for several years can involve searching through thousands of documents and emails across multiple mailboxes. Doing this in 30 days while running a normal business is genuinely difficult.

How a DMS Makes SARs Manageable

Metadata-based search

If documents are tagged with a Client Name or Customer ID metadata field, a single search returns every document relating to that individual instantly. Search "Smith, John" → 47 documents returned, from 6 different document types, spanning 3 years. This takes 10 seconds in a DMS; it takes hours in paper files or an unstructured SharePoint library.

Full-text search

OCR-processed documents are searchable by their content. If a person's name appears in the body of a document that wasn't tagged with their name, full-text search finds it. This is the safety net for documents that weren't perfectly tagged.

Audit trail

A DMS audit trail shows who accessed a document and when. This is useful if the SAR includes questions about data access history, or if you need to demonstrate that personal data was only accessed by authorised staff.

Redaction tools

SARs often involve documents that contain personal data about multiple individuals. You may need to redact third-party personal data before providing the response. DMS platforms with built-in redaction tools allow this without altering the original document.

Step-by-Step SAR Response Process

1. Acknowledge receipt: Immediately confirm you've received the SAR and state the response deadline (one month from receipt).
2. Verify identity: Confirm the requester is who they say they are before disclosing any data. Request reasonable identification — this doesn't extend the response deadline unless you need to wait for ID documents.
3. Search all systems: DMS (search by name/ID), email, CRM, HR system, accounting software, paper files.
4. Review results: Identify all personal data relating to the individual. Review for any data that should be withheld (legal professional privilege, third-party personal data, information that could prejudice an investigation).
5. Redact third-party data: Where documents contain personal data about other individuals, redact those details before providing the response.
6. Compile the response: Provide copies of all identified personal data, plus the required information about processing purposes, retention periods, and rights.
7. Document what you did: Keep a record of the SAR, your search methodology, what was found, and what was provided. This demonstrates accountability if the ICO ever asks.

What Happens If You Miss the Deadline

Failure to respond to a SAR within one month is a breach of UK GDPR. The individual can complain to the ICO. The ICO can issue an enforcement notice requiring you to respond, and in serious or repeat cases, can issue a fine. Practical first response: if you genuinely cannot compile a full response within one month (complex SARs involving very large volumes of data), you can extend by a further two months — but you must notify the individual of the extension within the first month, explaining why.