Data Subject Access Solutions

Process SARs in minutes, not days

The Exonar platform provides automated, intuitive and rapid processing of subject access requests (SARs), substantially reducing costs and decreasing disruption to your organisation.

After 25th May 2018, when the EU’s General Data Protection Regulation (GDPR) came into force, organisations can no longer charge for producing SARs. This means you should prepare for a significant increase in the number of requests your organisation handles. In our recent survey 57% of individuals said they would want to request their data as there is now no cost.

SARs can be over 800 Pages Long. Where do we start?

Subject access requests can cross many business units, departments, systems, processes and people. Often the only way to deal with them has been to email line management and request printed copies of the information requested, coralling that information then sending it to the customer via courier.

There’s an easier way. Use Technology

Connect to all of the sources of your customer data; emails, databases, word documents and spreadsheets, in your fileshares or in the cloud. Build an index of all of that information so that you can search it, instantly. Use machine learning to help guide you to all of the right and less of the wrong information. Manage your SARs online and track them as they progress.

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

A First-Hand Account of the Problematic Role of SARs Processing
It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines?
Read More

The Exonar platform continuously indexes all of your organisation’s data, meaning producing a subject access request is simple, quick and efficient:

Process, redact and produce SARs directly from the Exonar platform, without needing to scan or photocopy information
SAR dashboard shows you where you are with cases, and who you’re waiting on
Create simple templates to enable untrained users to find information relating to an individual
Review documents without needing to access the originals
Use machine learning to identify and redact personal and commercial information

CIO Solutions

Harness your data – unlock your assets

Gartner’s 2018 CIO Survey (above) plainly reveals that the job of the CIO is changing. As digitalisation
and innovation put more emphasis on the information rather than the technology in “IT,” the CIO’s role is transforming from delivery executive to business executive. They must now control costs and re- engineer processes to drive revenue and exploit data.

So, how does a CIO transform their organisation to help drive revenue and the exploitation of data whilst controlling costs and facilitating these business objectives?

According to The Economist ‘the world’s most valuable resource is no longer oil, but data’. Therefore, the Chief Information Officer should be an organisation’s most valuable asset. However, many are struggling to operate at their full potential. Time and again, strategies are defined and goals are set but the fundamental data question remains –

“I don’t even understand what data I’ve got. Where do I start so I can begin using it?”

By answering this seemingly simple yet complex question, CIO’s are able to advance the objectives of their business, transforming the model whilst supporting the digital agenda.

Often seen as a risk, we want to demonstrate that rather than being something to be concerned about, data can be controlled and turned into an asset.

The Issues With Today’s Solutions

If ‘data is the new oil’, then the ability to use the information we hold about our customers and businesses appropriately and in context is the key to digital transformation and organisational success. In this new world, the ability to remove friction from the customer journey whilst efficiently ensuring the safety and security of the data becomes paramount.

If we assume that to harness and control data we first need to know what we have, we can see that there are a number of approaches currently being deployed to establish a foundation:

  • Clipboard exercises interviewing line management to ascertain where the organisation thinks its data should be and what the data flows should look like. Time intensive, often requiring external consultants and delivering an espoused view as opposed to reality often facets this approach.
  • Tackling structured data with a barrage of queries often yields results but precludes all of the unstructured data both within those structured sources (like CRM systems) and the ‘Wild West’ of shared drives, email platforms, cloud storage systems and ‘servers under a desk in Stoke’.
  • eDiscovery systems can be deployed to try and forensically assess what data is out there. Expensive, restricted and with an inability to respond quickly, these systems only get a partial job done. Our system reduces the size of your data lake, minimising Data Analyst’s effort to complete the task.
  • Data Governance Solutions are utilised to try and control users and their access to, and use of, information. Largely focusing around directories and fileshares but with rules and some AI, these tools do their job but on a limited set of data up to a capped scale with some, but often restricted, insight into what’s going on with the information estate.
  • Data Loss Prevention (DLP) platforms are acquired to get control on the data and how it flows. Expensive, lengthy and with inflexible rule matrices that can often take 2 years to develop and can become obsolete in an instant means that this ‘hard code’ approach to try and tag and bag data to get it under control and understood often falls short of the overall goals.
  • Data Management platforms like Hortonworks provide powerful tools to leverage data and understand it. However, they are often mired in lengthy development cycles and require hard-to- recruit and retain developers and technologists.
  • ‘Traditional’ storage systems such as a SAN allow organisations to easily add data capacity but not to automatically manage or control information based on content and therefore relevance.

Click here to download the PDF version of this guide.

The Smart Alternative

The diagram below provides an architectural overview of the Exonar Information IntelligenceTM platform and how this platform has been harnessed to create a new concept in data management – Search Optimised Smart Storage (SOSS).

Exonar Search Optimised Smart Storage

The verb SOSS means ‘to move gently’. The movement of data, or data control, within an organisation is crucial not only for controlling Total Cost of Ownership (TCO) but also for utilising information as an asset and managing information as a risk.

Search Optimised Smart Storage (SOSS) from Exonar allows intelligent data control policies to be defined through the powerful and flexible search capabilities inherent in the Exonar Platform. SOSS provides the capability to automatically move data to the right location with the right performance and protection based on the data’s content, metadata and importantly, its value and risk. Crucially, SOSS moves data gently enough that it always remains searchable, discoverable and accessible to the right set of people and applications.

SOSS Platform Capabilities

  • Optimising TCO and performance for frequently accessed data through smart storage tiering.
  • Placing verbose or repeated data into Deduplicated and Compressed storage locations.
  • Moving important data to storage locations with DR policies that define data appropriate Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
  • Reducing TCO for orphaned, stale and rarely accessed data by moving from ‘hot’ to ‘warm’ or ‘cold’ storage (e.g. cloud storage).
  • Protect sensitive data by moving it to an encrypted and access restricted storage location.
  • Retention and records management via search based retention policies that control not only where data is kept but how long it is kept for.
  • Enable rapid data production for regulatory production (such as GDPR Subject Access Requests)

But How?

The Exonar platform is uniquely positioned to combine massive scalability, speed and data ingestion from almost any source. It has the ability to interrogate and analyse content rich data in bulk or at the level of an individual item, in near-real time. This is delivered on a clustered and resilient software and hardware platform that can economically scale to a range of customer data requirements and sizes; from around 100,000 up to billions of items. Exonar’s platform provides: integration, coordination and deployment of scalable big-data technology on commodity hardware, the use of Machine Learning and natural language processing techniques to understand and classify information, and the use of indexing and a user-experience layer to provide insight for our clients, with security always top of mind.

The vast amounts of data and variety of usage patterns pose a number of challenges:

Data presentation – users are provided the high level insight they need as well as an ability to zoom in and work with individual documents.
Finding the needle in a haystack – users can easily locate that one document they care most about amongst 10s or 100s of millions of documents in their organisation. This requires a powerful search interface, flexible schema and fast response times. An intelligent platform backed by Machine Learning makes it possible to automate processes which otherwise would require a huge amount of manual processing.
Scalability – the high volume and variety of data and fast rate of growth put Exonar firmly in the Big Data category. As our customers’ data volumes increase, the platform is designed to scale up with the volume.
Evolving requirements – we are able to quickly react to the needs of our customers and pivot when necessary. Using open source components at the core of our platform enables us to take features to market quickly, focus on solving the most pertinent problems and provides clients with the assurance of long term utility should Exonar no longer exist.

Exonar has an open framework that can connect to all of the most frequently used business information systems. Implementation is rapid and the platform delivers results from day one of installation. We employ a layered architecture which takes data from external systems and applies a series of processes to understand and index it, making it available for interrogation by users and other systems. For organisations with more complex environments, custom connectors are created to integrate legacy systems data into this new environment. The platform doesn’t need an analyst to operate it and is accessible by a regular business with a half day of training.
Exonar is provided as a scalable appliance. It is licensed on an annual basis against the amount of data indexed, with sliding scale discounts applying to larger data volumes, and includes all hardware and software support and maintenance as well as product updates.

Leveraging The Exonar Platform

Clients are deploying the Exonar platform to solve a range of business imperatives, such as:

Data Privacy

  • Achieve and maintain compliance with Data Privacy regulation like GDPR, CCPA and POPI
  • Process access requests for personal data in minutes, not days
  • Create a Data Inventory of ALL your data.

Partner Data Indexing

  • Reduce costs in limiting time finding your partner data
  • Index data remotely, improving operational efficiency.

Cloud Bloat

  • Detect cloud data classified as ‘digital litter’ – duplicated, outdated and trivial
  • Organise information to speed up usability, efficiency and governance.

Records Management

  • Assemble practical intelligence on data and file location and sensitivity
  • Drill into specific files of the same subject, regardless of location and format.

Information Security

  • Discover and understand your sensitive information, what it is, where it is and who has access to it to ensure it can be properly and appropriately protected.

Data Lake Filtering

  • Our eDiscovery tool reduces your data lake, minimising human effort.

The Exonar Advantage

Intuitive User Interface

  • You don’t need to be a data scientist or an analyst. Simply connect Exonar to your network and our easy-to-use dashboards enable you to pull charts up and drill to any level of detail.

Intelligent Classification

  • Intelligent Classification automates the process of identifying patterns in documents and categorising them for protection, accessibility or deletion. Categories are defined by anything a user can search for, such as document markings, location, authorship, accessibility or contents.

Massive Scalability

  • Exonar’s ability to search billions of enterprise documents and return not just one but all of the most relevant results swiftly is enormously powerful. Our product can be scaled horizontally and can be installed either on-premise or in the cloud.

Boundless Connectivity

  • Exonar has an open connector framework allowing it to connect to almost any data source.

Near real time performance

  • Exonar’s platform delivers near real time responses to queries so it can be utilised both for single instance and ongoing monitoring of information assets. In addition, users can interrogate information from day one with a single ‘crawler’ ingesting around a million items a day.

Customer Obsessed Culture

  • Exonar’s agile culture sees our development process evolve through iteration, continuous feedback and evolution. We are highly focused and work collaboratively with our customer base to deliver a solution that can enable your digital transformation.

Exonar Background And Experience

The Exonar platform was originally developed for the needs of clients in the Defence sector. The system enabled them to understand their Intellectual Property, assess the ramifications of its loss including the business impact, and to help design improved processes for future protection.

We are an innovative technology company, based in the UK. This year we were selected by one of the UK’s largest retail banks over IBM to meet their initial requirements for ‘life after GDPR day’ and their platform for information management. We were selected by them not just for the unique capability of our technology but to deliver their information insight swiftly, simply and at scale because of our innovative approach and our ability to react to changing customer requirements. As a company, we pride ourselves on being utterly professional whilst maintaining our belief that people don’t want to deal with ‘the Corporate Entity’, they want to deal with real people who they can work with to solve their business problems.

We partner with the ‘big four’ consulting firms and specialist ‘boutique’ partners to deliver projects and ongoing programmes. Our investors include Amadeus Capital Partners and Winton Ventures, two of Europe’s most respected Venture Capital firms.

Where Do I Start?

The answer is to simply start. The task does not have to be approached as a big bang and no elephants need eating. Exonar can help you plan your approach and the benefits are almost immediate – the index that is created is searchable from day one. Every organisation is different with a balance bias between structured and unstructured data, different employee behaviours and different blends of knowledge and process workers but all yield benefit. The business benefits of action are clear, the rewards tangible and attainable. For the first time, discovering your information advantage is simply and easily achievable.

The first step in the process is to get in touch with Marcus Hill who will organise a walk-through of the platform for you and your team. Marcus can be contacted via 07793 857122 or

In return, you could have peace of mind with regards to your GDPR Compliance, PII, Cloud Migration, Information Security and many other of your data challenges.

Click here to download the PDF version of this guide.





Information Security Solutions

Cloud Migration Solutions

Cloud migration without the risks

Migrating everyday business information to one of the many cloud services such as Box, Dropbox or Office365 makes sense for almost every organisation.

Everyone’s migrating

Even traditionally risk adverse industries such as Finance, Government and Defence are adopting this model as they see the benefits of collaborative working whilst reducing the need to manage infrastructure. However, the question as to what can and should be moved must be addressed during migration projects.

Cloud migration can provide cost savings and productivity improvements.

Migrations equal regulations

Information is increasingly the subject of regulation. From EU GDPR dictating the nations deemed fit to hold EU Citizen data, to UK Government regulating how protectively marked information must be treated, or a hundred other industry specific regulations on how and where information can be stored, a poorly planned cloud migration project will expose your organisation to substantial additional regulatory and financial risk.

Cloud migration without the risks

Understanding what information you have, where it is, how old it is and who has access to it enables you to make sense of your unstructured information and prioritise what information should be de-duplicated, what should be archived, what should be deleted and what should be carried forward to your new cloud infrastructure. The Exonar platform enables you to cleanse information of unwanted and risky information, leaving your staff with just the valued information, properly protected, easily located and accessible within your chosen cloud service.

Download Cloud Governance brochure

CCPA Solutions

Generation privacy has begun

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organisations holding data on US Citizens.

Exonar simplifies compliance with the California Consumer Privacy Act (CCPA) by getting right to the heart of the matter: Finding, Mapping and Managing your data.

How Exonar can help with CCPA

Data Mapping and Inventory

Data Subject Access Requests

Data Portability

Enforcing Compliance

Right To Be Forgotten

Meet the Personal Data Privacy dashboard

Exonar’s Privacy dashboard provides a top-down view of your organisation’s information in relation to the EU GDPR and California Consumer Privacy Act (CCPA).

It shows a comprehensive picture of all the data held which is relevant to these laws, where it is held and its characteristics.

This view will take your organisation beyond spreadsheets and interviews, and into the realm of making well-informed decisions, rapidly.

Where Do I Start

Preparing for CCPA will share many characteristics with those undertaken for GDPR:

Assemble the team: Include Executive Sponsors and stakeholders from Legal, Compliance or your data privacy team, people with oversight of you corporation’s technology and it’s security and representatives from the key personal data owners in your business (e.g. HR, Sales, Marketing, Customer Service).

Get started with a data inventory. Prioritise information stores likely to contain personal data and those with poor governance. Be practical, start with those that are easy to create an inventory form.

Don’t rely on your corporation’s answers to questionnaires for your data inventory, or you will get an idealistic view of your risk (your head of marketing is likely to say the personal data they process is in the marketing system, forgetting that it got there via email and has been exported into spreadsheets). You will need technology to do this effectively (and we can help!)

Establish a culture of security and privacy and ingrain this into your day-to-day operations. Communicate a simplified overview of CCPA to the key stakeholders.

Create and practise your business processes that will be required to satisfy the rights of the individual (Access to data, erasure, breach notification).

CCPA versus GDPR

There are many similarities and some key differences between GDPR and CCPA. Here is Exonar’s take:

Basis for consent

GDPR – Opt in

CCPA – Opt out

Who it applies to

GDPR – Any organisation holding personal data on EU citizens

CCPA – For-profit entities that process personal data of California residents and either:

Do $24 million in annual revenue

Hold the personal data of 50,000 people, households, or devices

Do at least half of their revenue in the sale of personal data.

Rights for individuals

GDPR – Access to data being held, right to erasure, correction, object to automated processing. Right to notification if there is a data breach.

CCPA – Right to disclosure and objection relating to who data is being sold to, no discrimination if individual objects to data sold. Right of access to data being held. Right to know how personal data is being used. Right to know who data has been provided to.

When does it come into force

GDPR – May 25, 2018

CCPA – Jan 1, 2020

Financial Penalties

GDPR – 4% of turnover or €20m (whichever is greater)

CCPA – $7,500 per violation. $750 or actual damages for each individual, whichever is greater

Time allowed to respond to a request

1 month

45 days

NB, California resident is defined as, “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

The CCPA – The Definitive, Easily Searchable Text

Follow the link below to read the full California Consumer Privacy Act text, with each section clearly marked and searchable.

The legislature passing of the California Consumer Privacy Act 2018 (AB 375) happened on June 29th 2018, and these new rules will now govern most organisations holding data on US Citizens.

Read More

Event Update – Join us for our Exonar meet-up in London

We’re delighted to be partnering with Brown Rudnick who will host a meet-up at their London offices on Tuesday, June 18th.

One year on from the start of the new GDPR regime, Exonar and Brown Rudnick invite you to join us to discuss the trends, issues and lessons learnt from the last 12 months. The session will be followed by a drinks and canpé reception for networking.

Topics will include:

  • Weaponising SARS – litigation friend or foe?
  • GDPR class actions – just around the corner?
  • What data can be excluded from a SAR response?
  • The €50m Google fine

Our panel will feature:

  • Mark Lubbock – Partner (Intellectual Property and Technology), Brown Rudnick
  • Adrian Barrett – CEO & Founder, Exonar
  • Gilbert Hill – CEO, Tap My Data
  • Ben Falk – Founder, Yo-Da
  • Anya Proops, QC – Barrister, 11 Kings Bench Walk
  • (Chair) James Cole – Partner (Corporate), Brown Rudnick

Date: Tuesday 18 June 2019

Venue: Brown Rudnick LLP, 8 Clifford Street, London W1S 2LQ

Time: 18.00 – 21.00

To book your space, please visit:
We hope you can join us!


Free Webinar – The Perfect Privacy Programme. Register Now!

GDPR One Year On: What Does a Perfect Privacy Programme Look Like?

Free Web Conference – Brought to you by Exonar

Broadcast date: 2:00pm, April 24, 2019

One year on from the introduction of the EU General Data Protection Regulation (GDPR), join Exonar and experts from the field in discussing ‘What does a perfect privacy programme look like?’

In this web conference we will hear from our panel of experts as they discuss:

  • What are the necessary components of an enterprise-level privacy programme?
  • How do we optimally assign roles and responsibilities within a privacy programme?
  • How can we most effectively create and manage accurate personal data inventory? (Article 30 – Records of Processing Activities)
  • How do we best monitor for GDPR compliance using both manual and technical controls?
  • What is the best way to deliver privacy training to our employees?
  • What are the most effective tools available to satisfy individual rights? I.e. Subject Access Requests (SARs), Right to be Forgotten, data deletion and retention.

In addition to discussion from the field, our panel will also discuss Exonar’s recent findings based on surveys of 100+ organisations and consumers into:

“What’s Next with Personal Data Inventory?” – Exonar have profiled 100+ organisations’ attempts to create personal data inventory. One year on we ask what monitoring and compliance actions they are now planning to take as a result.

“Consumer Attitudes to Subject Access Requests (SARs): A SARvey” – Exonar have surveyed 100+ consumers to assess their sentiment towards data privacy and the ability to exercise their privacy rights.

There will be a live Q&A session in the final 15 minutes of the webinar so, to avoid missing your chance to contribute, register on the form below:

John Tsopanis, Data and Privacy Director, Exonar

Ralph O’Brien CIPM, Vice Chair UK Data Protection Forum, Principal Reinbo Consulting
Sophie Payne, Customer Success Lead and Data Scientist, Exonar
Ben Falk, CEO of Yo-Da, Your Data


Book your place now:

Your questions answered – IAPP webinar Q&A

Recently, Exonar organised a webinar hosted by the IAPP. ‘Thriving in Generation Privacy: Capitalising on DSAR Data from the Field’ was a great event with a large number of attendees and a thought-provoking programme that raised a number of questions from the floor. The webinar summary was as follows:

With the introduction of the EU GDPR, the CCPA and other global privacy laws, people have increased expectations of how their personal data will be handled and protected. This is driving up the number of inquiries for data subject access requests and requests to exercise the right to be forgotten. We commissioned our own research into how businesses are coping with the increased demand; the findings of which were remarkable.

If you missed the webinar, you can find it here:

Due to time constraints, it was not possible to address all the questions asked during the webinar, so we’ve gone through them all and you can find a complete list of questions and our answers below:


Q1. Is there any clarity (under EU GDPR Guidance etc) on what personal data can be safely classed under Legal Privilege and therefore remain undisclosed to data subject?

Answer: Where Legal Privilege protects sensitive content within confidential or privileged documents, the sensitive content is to be redacted when providing copies of the documents to the data subject if they have requested to access their personal information for legitimate reasons. Personal information within confidential and sensitive documents still belong to the individual and they have a right to request access to it. For instance, an ex employee requesting access to emails about their performance, the contents of which also contain the sensitive information of the client that their performance relates to. The organisation is to redact the sensitive information relating to the client, and satisfy the access request to access their performance related data.


Q2. Common challenges (Identifying the data subject) and fake SARs could be a real challenge too – how is this handled?

Answer: The steps you take to identify the individual will be particular to your organisation. In summary, ensure that you are asking for the same amount of verification as you would if that individual were to request their information for any other reason. Practically speaking, this will mean the key identifying information regarding them and potentially some form of identity verification.


Q3. Is unstructured data covered by GDPR?

Answer: Yes, all personal data relating to EU citizens is covered by GDPR.


Q4. What is the percentage of SARs for which you know, explicitly, the reason for submission, as there is no requirement for the individual to state the reason they want the data?

Answer: In practise, with the SARs we handle, it is only occasionally stated as to why the individual is requesting their data. Sometimes it becomes obvious during the review process and it may be appropriate to intervene in a different way (for example, it becomes evident that they are a customer who has a grievance).


Q5. Do you have any recommendations to streamline the SAR intake process?

Answer: Yes, pay close attention to what data you are providing, spread the load and invest in automation where appropriate. We often find organisations default to disclosing lots of context (i.e. contents of files and emails). In reality, the regulation requires that you disclose the personal data you hold, the purpose, where it is stored, and third parties you have provided it to. It may be appropriate to provide more information to diffuse a situation but it isn’t a requirement. Exonar can help automate this process. It needn’t take days; it can be achieved in minutes using their platform.


Q6. How do the regulators prioritise SARs? Aren’t they far busier with data breaches and other more “serious” incidents? In short, if they are inundated with SARs, it could take a long time for a data subject to get a response.

Answer: Satisfying the right to access through SARs is very high on the ICO’s priority list. Jonathon Bamford, the director of strategic policy at the ICO told us this at a recent Westminster eForum: “Well, actually, the biggest issue that’s raised is subject access, and it isn’t about little changes around if you can charge a fee, or how long it takes or things like that. It’s the core thing about securing somebody’s right to have access to their data, and that’s the biggest thing that we’ve got there, so when I’m talking about data protection back to basics it’s that one. I think the fact that we’ve got Subject Access Request (SAR) complaints up by 98% tells me something.Complaints have increased significantly since May and we’re on track to receive over 43,000 individual complaints by the end of the year, and certainly by the end of quarter 2 we’d received 94% more complaints than we had the year before. So that’s interesting. I think from May to October I think we got 16,000, nearly 17,000 complaints, in the previous period in 2017 that was 7,000. The biggest issue that’s raised is subject access”.


Q7. Are the panel aware of any significant increase in SARs as a result of equal pay (and similar) reporting requirements? For example, if the company holds an employee name and + or – average salary. Are there any exemptions to disclosure that could apply here?

Answer: We’ve asked around and we’ve not encountered this use case before, but in theory, an employee would be able to ask for their ‘relation to average salary’ data if it existed. That employee couldn’t access the details of other individual employees, and can otherwise access aggregate salary details in company reports, so the answer for the organisation is ‘don’t create politically toxic categories of personal data that employees and customers could potentially ask for’.


Q8. Is there any easy way to automate consent management in addition to the information itself?

Answer: There are automated consent management solutions on the market, and we’d be happy to give you our opinion on the solutions we have seen if that helps you.


Q9. Might we see the courts (and potentially the CJEU) eventually rule on SARs that are used abusively and contrary to the spirit, even if not letter, of the GDPR?

Answer: The GDPR already gives organisations the right to challenge the scope and legitimacy of a data subject access request to counter the types of trolling or excessive requesting that some might have expected. There has yet to be a high-profile instance of such an abuse of the SAR rules and I imagine that privacy regulators will respond if that threat does indeed materialise. To this point I don’t think the courts have been given any meaningful incentive to tighten those rules.


Q10. As a non-European/non-American, how do I know if I’m subject to GDPR or CCPA?

Answer: You are subject to GDPR if you hold any data regarding EU citizens.


Q11. How do you collect enough information to verify the data subject without creating another record by receiving that information?

Answer: Under GDPR there are six lawful bases for processing personal data. One of these is legal obligation. As it is your legal obligation to comply with a SAR, this is the basis for processing this information.


Q12. How do you verify the identity of the person requesting the SAR? A qualifier for my question; I’m referring of course to complaints to the regulator concerning unfulfilled SARs.

Answer: See Q2.


Q13. Can a SAR ask for details of technical and organisational measures taken to protect their data?

Answer: The right of access does not include disclosure as the methods used to protect information. However, taking appropriate measures is a legal obligation in itself.


Q14. Don’t SARs also apply to paper records?

Answer: Yes, GDPR is technologically neutral. The regulation applies in two situations; firstly, where processing of personal data is conducted by “automated means,” and/or where processing of personal data is not conducted by automated means, but it forms part of a filing system or is intended to form part of a filing system. This second condition clearly applies to paper filing systems.


Q15. From the average cost of SARs being £525, did any of the organisations who were involved with those SARs who took part in  the survey ask the data subject for a reasonable fee? £525 seems very costly to small organisations.

Answer: It is illegal under the GDPR to request a fee for fulfilling a SAR. It is for this reason that organisations must quickly move from a highly costly manual process into embedding an automated SAR solution that can reduce this financial burden long term.


Q16. There are some data breaches caused by a mishandling of SARs, such as the Amazon/Alexa case in Germany. Could you please talk a bit about this? Are there any other similar cases you might share with us, please?

Answer: Your response to a SAR is likely to contain a highly concentrated profile of personal information about the data subject. Using your data privacy impact assessment process, you should classify your SAR response communications as high risk, and apply the high risk security controls your organisation uses to protect other high risk communications and data transfer e.g. using secure file shares, encrypting the file, sending keys separately etc. Our advice is, therefore, to apply the high-risk security controls used for other high risk personal information transfers.


Q17. Given the pending final guidelines on the territorial scope of the GDPR (Article 3), how should entities outside of the EU who are unsure of their nexus respond to a SAR? With regards to Article 3(2).

Answer: GDPR applies to any organisation holding personal data relating to EU citizens. If this is you, you will need to respond to the SAR or you will be in breach of the regulation.


Q18. Is there a danger that some organisations are asking for too much information to confirm proof of identity? Some insist on copy of passport – something I might not be happy to share with a company I might already be unhappy with?

Answer: The IAPP has a great article on this.


Democracy Disrupted: Data Privacy, Social Media & Election Interference

Democracy Disrupted: Data Privacy, Social Media and Election Interference – Summary of Data Protection Forum speech

On March 5th, 2019 our Data & Privacy Director, John Tsopanis spoke at the Data Protection Forum event in London. His talk – ‘Democracy Disrupted: Data Privacy, Social Media, and Election Interference’ is presented here in article form.


When discussing social media, it’s important to understand that it is a visual media; a visual media that has the power to evoke powerful emotions in the individual, groups of individuals, tens of millions of individuals whose relation and opinion of the world is formed by the content they consume. So, when we talk about the scale of political disinformation campaigns we are attempting the impossible, trying to articulate the psychological impact that billions of messages are having on the psychology of tens of millions of individuals. The scale of influence is critical; according to data from Nielsen, Americans spend an average of 10 hours and 39 minutes consuming media across their devices every day. Specifically, five hours per day are spent on mobile devices. What we see on our screens is now the overwhelming driver of political opinion and consensus.

UK Parliament DCMS Fake News Report

UK Parliament’s DCMS report into fake news, disinformation and interference into Brexit concludes that data privacy rights were violated by Facebook and Cambridge Analytica during the Brexit referendum, and tens of millions of people were microtargeted with political disinformation as a result. The DCMS conclude that the institutions that are designed to protect us from this type of abuse are not fit for purpose nor appropriately funded. The DCMS have called for urgent action to safeguard our democracy from microtargeted political disinformation campaigns, funded by countries like Russia, that aim and are succeeding at fracturing the British political consensus into gridlock.

The DCMS acknowledge that the GDPR has been a necessary first step in establishing privacy rights for British citizens, but more protections are needed to safeguard citizens’ online safety given the privacy violations that have already occurred.

The DCMS report summarises as follows:

“We have always experienced propaganda and politically-aligned bias, which purports to be news, but this activity has taken on new forms and has been hugely magnified by information technology and the ubiquity of social media. In this environment, people are able to accept and give credence to information that reinforces their views, no matter how distorted or inaccurate, while dismissing content with which they do not agree as ‘fake news’. This has a polarising effect and reduces the common ground on which reasoned debate, based on objective facts, can take place. Much has been said about the coarsening of public debate, but when these factors are brought to bear directly in election campaigns then the very fabric of our democracy is threatened.

This situation is unlikely to change. What does need to change is the enforcement of greater transparency in the digital sphere, to ensure that we know the source of what we are reading, who has paid for it and why the information has been sent to us. We need to understand how the big tech companies work and what happens to our data.

In a democracy, we need to experience a plurality of voices and, critically, to have the skills, experience and knowledge to gauge the veracity of those voices. While the Internet has brought many freedoms across the world and an unprecedented ability to communicate, it also carries the insidious ability to distort, to mislead and to produce hatred and instability. It functions on a scale and at a speed that is unprecedented in human history. One of the witnesses at our inquiry, Tristan Harris, from the US-based Center for Humane Technology, describes the current use of technology as “hijacking our minds and society”. We must use technology, instead, to free our minds and use regulation to restore democratic accountability. We must make sure that people stay in charge of the machines.”

Data Privacy and British Democracy

The problem British democracy faces has two core components:

The first is the need to safeguard personal privacy and restrict the ability for personal data to be harvested, profiled and leveraged at scale by unknown actors. The GDPR has given individuals the rights to access and erasure which offer a solution for the individual, but if the organisations conducting the microtargeting are unknown and/or criminal it is very difficult for the individual to exercise these rights. What is needed is greater capacity for enforcement.

The suggested solution from the DCMS is to impose a 2% levy on big data and social media companies and ring fence that into funding the ICO’s enforcement work. This will allow the extension of powers offered to them under the GDPR which will enable them to identify, investigate and take down dark data and disinformation operations at scale. It is the international scale of operations working against British democracy through the vehicle of unregulated social media that has overwhelmed our current domestic regulatory bodies and our politics. Therefore, an urgent boost to the resources of the regulators is needed to tackle this problem at source.

The second problem is tackling disinformation. The DCMS has called for the following:

“There is now an urgent need to establish independent regulation. We believe that a compulsory Code of Ethics should be established, overseen by an independent regulator, setting out what constitutes harmful content. The independent regulator would have statutory powers to monitor relevant tech companies; this would create a regulatory system for online content that is as effective as that for offline content industries.

As we said in our Interim Report, such a Code of Ethics should be similar to the Broadcasting Code issued by Ofcom—which is based on the guidelines established in section 319 of the 2003 Communications Act. The Code of Ethics should be developed by technical experts and overseen by the independent regulator, in order to set down in writing what is and is not acceptable on social media. This should include harmful and illegal content that has been referred to the companies for removal by their users, or that should have been easy for tech companies themselves to identify.

The process should establish clear, legal liability for tech companies to act against agreed harmful and illegal content on their platform and such companies should have relevant systems in place to highlight and remove ‘types of harm’ and to ensure that cyber security structures are in place. If tech companies (including technical engineers involved in creating the software for the companies) are found to have failed to meet their obligations under such a Code, and not acted against the distribution of harmful and illegal content, the independent regulator should have the ability to launch legal proceedings against them, with the prospect of large fines being administered as the penalty for non-compliance with the Code.”

The scale of disinformation on social media platforms is the current largest threat to British democracy. It’s one that data privacy professionals have yet to truly understand, primarily because the 20% professional class are rarely the targets of micro targeted disinformation campaigns due to their inferred socioeconomic status. This perfect storm has meant that our privacy legislation now lags significantly behind the technology that needs to be regulated and there is an overcompensation needed to correct course.

Cambridge Analytica, Disinformation and Brexit

Cambridge Analytica were responsible for delivering the Trump and Leave.EU Brexit social media campaigns.

‘Today, in the United States, we have close to 4000 to 5000 data points on every individual. So we model every personality across the United States, some 230 million people’ – Alexander Nix, CEO of Cambridge Analytica, October 2016

See 6:40-11:07 for Channel 4’s undercover reporting of Cambridge Analytica’s political disinformation tactics:

The integrity of the information supply is the cornerstone of a free and functioning democracy

“A democracy needs good quality information, and fair distribution of that information in order to articulate, aggregate, and defend its own national interests. Without it, democracy falls.” said Professor AC Grayling, moral and political philosopher, and author of over 30 books on ethics, philosophy and the history of human rights. He also went on to say:

“In a mature democracy, citizens must be free to choose the information they consume, and to be able to easily identify and trust the source of that information at the point of consumption. The ability for citizens to do this, to opt out of illicit messaging from untrusted sources, is what we might consider exercising our right to privacy. Without these freedoms, we cannot meaningfully escape unwanted influence, and in a truly Orwellian sense, our vulnerability to psychological manipulation by unknown individuals and organisations makes us all less free”.

Foreign Interference in Brexit

The DCMS, along with tackling data privacy violations and disinformation, has also called for an urgent investigation into Russian interference into Brexit. The aim is to investigate the source of Mr Aaron Banks’ £9m donation to the Leave.EU campaign; the largest donation in British political history – the source of which is still unclear.

What is clear is that the disinformation networks that were operating during the Brexit referendum are still active and more effective than ever. The prevalence of known Kremlin Twitter and Facebook accounts amplifying pro-Brexit politicians (e.g. Conservative members of the “European Research Group” known as the ‘ERG’) and pro-Brexit social media pages like Leave.EU and Westmonster are deep cause for concern for British citizens. Leave.EU alone generated 661,000,000 impressions on Facebook and 221,000,000 impressions on Twitter in 2018.

The full nature of this relationship must be investigated by an Independent Counsel similar to the USA’s Mueller Enquiry, an enquiry that is investigating the Trump Organisation’s ties with Russia, and revealed to the public as a top priority.


Britain needs to take back control of its politics and to do so it needs to take back control of its data, give the necessary regulatory bodies the investigative and enforcement powers needed to conduct investigations at scale. It should create new institutions that are fit for holding social media companies accountable for disinformation campaigns run through their platform.

Missed Our IAPP Webinar? Watch ‘Thriving in Generation Privacy’

Exonar Webinar hosted by the IAPP: ‘Thriving in Generation Privacy: Capitalising on DSAR Data from the Field’. Your chance to view the recorded webinar.

With the introduction of the EU GDPR, the CCPA and other global privacy laws, people have increased expectations of how their personal data will be handled and protected. This is driving up the number of inquiries for data subject access requests and requests to exercise the right to be forgotten. We commissioned our own research into how businesses are coping with the increased demand; the findings of which were remarkable.

First broadcast on the IAPP website on February 7th 2019, watch this recorded webinar to hear from the field about these survey results and more, including:

  • The cost of handling data subject access requests. (UK public sector organisations example).
  • The results of a subject access request to a UK based high street bank
  • How the world’s leading tech companies dealt with recent requests for personal data
  • How organisations are profiting from their privacy programs
  • The toxic data you’re storing and what to do about it
  • How companies have prepared for Generation Privacy and what you can do now.

Dave Cohen, CIPP/E, CIPP/US, Knowledge Manager, IAPP

Adrian Barrett, CEO, Exonar
Phil Lee, CIPP/E, CIPM, Partner, Privacy, Security and Data Protection Practice, FieldFisher, London, U.K.
Steve Wright, GDPR Advisor at Bank of England, CEO, Data Privacy Architect, Privacy Culture, London, U.K.

Run time – 60 minutes.