News & Resources

GDPR Subject Access Request

In Thought Leadership, GDPR

In less than a month GDPR will be a year old and many U.S. companies are still struggling with GDPR compliance. According to a study by PossibleNOW, a provider of consumer regulatory compliance and consent solutions, only 27% of U.S. companies are GDPR compliant. And 44% of these companies say one of the primary challenges is Subject Access Requests (SARs).


What is a SAR?

GDPR guidelines give ownership of the data to the data subjects (people) and provide the following rights:

  • Article 13 & 14 Right to be Informed
  • Article 15 Right to Access
  • Article 16 Right to Rectification
  • Article 17 Right to be Forgotten
  • Article 18 Right to Restrict Processing
  • Article 20 Right for Data Portability
  • Article 21 Right to Object
  • Article 22 Right to Object to Automated Processing

Requests for data can be made electronically or physically. If a request is made the organization must respond within a month.


What’s the first step to fulfilling the SAR request?

When organizations receive SARs the first step is verifying that the request is definitely coming from the actual data subject. The identify of data subjects must be verified to ensure fraudulent requests aren’t processed. This ensures that data isn’t released to an unauthorized person or that customers aren’t inconvenienced by having information deleted or changed when they did not request it


What the major challenge for responding to SARs?

A key challenge in any SAR is being able to pull together all the relevant information. This means pulling structured and unstructured data. GDPR guidelines don’t permit you to leave information out because it’s difficult to access. GDPR applies to all types of systems where personal data resides. Personal data can be stored everywhere in an organization. This includes traditional databases, emails, spreadsheets, text documents, PDFs, images, etc. Your organization will need to develop processes to pull data from all sources that include personal data which can include active and archived information.


GDPR is a reality and your organization is going have to ensure that SARs verified and processed on an organized and efficient method. Your organization has only a month to respond to SARs. The more streamlined and automated you can these processes the easier it will be to comply with GDPR regulations.

Are you having challenges managing your SARs? Crayon has the GDPR Infinity platform that helps organizations manage this process and track all requests. Contact your Crayon Account Manager or contact at

Tony Musielak - SAM BDM

+1 469 329 0285