What Happens When You Get a Subject Access Request And Can’t Find the Records?

Why Disorganised Storage Can Put Your Organisation at Risk

When a Subject Access Request (SAR) lands in your inbox, the clock starts ticking. Under UK GDPR, you have just one month to respond — and that means locating every relevant piece of information relating to the individual who made the request. Sounds simple enough, right?

But what if your records are scattered? Stored in a mix of email threads, filing cabinets, shared drives, and unlabelled archives?

What if you simply can’t find them all?

Here’s why that matters and what you can do to avoid the worst-case scenario.

What is a Subject Access Request (SAR)?

A SAR is a request made by an individual to access the personal data your organisation holds on them. This includes:

• Paper records

• Emails

• Case files

• HR documents

• Call logs

• Scanned documents

• Archived files

You’re legally required to provide this information within 30 calendar days — in a format that’s clear, complete, and accessible.

What Happens If You Can’t Find the Right Records?

If your storage system is disorganised, inconsistent, or reliant on one or two people knowing “where things live,” you’re exposing your organisation to real risk:

Non-Compliance

Failure to meet SAR obligations is a direct breach of UK GDPR - and can result in fines, complaints to the ICO, and damage to your reputation.

Incomplete Responses

You might respond on time, but if your search was limited to what’s easily accessible, you risk missing key data. This can lead to follow-up complaints or legal action.

Time Waste & Team Disruption

Searching for information in five different places slows everything down. It’s not just about the person handling the SAR - it's pulling time from legal, HR, IT, and admin too.

Loss of Trust

In sectors like legal, healthcare, or local government, a poor SAR experience can erode public trust and client confidence.

The Hidden Problems Behind Missed SARs

• No central index of what data you hold, where, and in what format

• Disorganised shared drives with inconsistent file naming

• Legacy paper records with no digital backup or indexing

• Multiple departments holding duplicate or fragmented data

• Infrequent reviews of what should be archived or deleted

  
  

Often, the biggest issue isn’t what you have — it’s not knowing what you have.

What You Can Do Now to Reduce the Risk

Here’s how to create a system that protects you when that SAR arrives:

1. Audit What You Hold

Start by understanding your current document landscape — both physical and digital. What types of records do you keep? Where are they stored? Who has access?

2. Centralise & Catalogue

Create a clear index or map of your records. If someone asks for data, you should know exactly where to look — not “try HR’s cabinet” or “check Becky’s old laptop.”

3. Digitise Vulnerable Records

Scanning archived records (especially paper-only formats) ensures they’re searchable, backed up, and accessible from a central location.

4. Label Clearly

Whether digital files or physical folders, clear naming conventions make records easier to find and harder to misplace.

5. Train Your Team

Make sure everyone understands the SAR process — and the importance of storing data consistently and securely.

How MDSS Can Help

At MDSS, we work with organisations across legal, finance, healthcare and the public sector to bring structure to document chaos.

We offer:

• Secure document scanning and indexing

• Offsite storage for physical records

• Guidance on retention and GDPR compliance

• Support for Subject Access Request response planning

If you’ve ever panicked over a data request or suspect your current system wouldn’t stand up to scrutiny, let’s have a conversation.

SARs don’t have to be stressful. With the right document management in place, they’re just another process. Let us help you get there.