Outsourcing data privacy, the complex compliance maze

Navigating the Complexities of Outsourcing Subject Access Requests (SARs): A Guide for Data Controllers

Subject access requests · UK GDPR · Processor accountability

Outsourcing subject access request work can help an organisation manage volume, complexity and review pressure. It does not outsource legal responsibility. Under the UK GDPR, the controller remains responsible for the response, the search, the use of exemptions, the protection of third-party information and the quality of the final disclosure. A processor can assist, but the controller must stay in control.

Category
Data protection
Jurisdiction
United Kingdom
Reading time
c. 12 minutes
Last reviewed
3 July 2026
By-line
Legal Lens

Publication snapshot

Subject access requests are often treated as an operational burden. That is a mistake. The right of access is a fundamental data protection right, giving people a copy of their personal information and supplementary information about how it is used. Outsourcing the mechanics of search, review, redaction and response preparation may be lawful and sensible, but only if the controller keeps a clear audit trail, uses a compliant processor contract, protects confidentiality and makes defensible decisions on scope, exemptions and disclosure.

Why outsourcing happens

Subject access requests can be labour-intensive. A single request may require searches across email, case-management systems, HR records, customer platforms, archived material, messaging tools, call recordings, complaints files, legal files and third-party systems. The review may involve large volumes of mixed material, including personal data about several people, confidential communications, legal advice, safeguarding material, health information, employment records or commercially sensitive documents.

It is therefore unsurprising that controllers sometimes use external support. A specialist provider may bring review technology, redaction tools, trained reviewers, workflow management and capacity at short notice. A law firm may be asked to advise on exemptions, privilege, dispute sensitivity or litigation risk. An e-disclosure provider may assist with collection, de-duplication and search. A consultancy may help build the process or prepare a response pack.

The risk is that outsourcing can create false comfort. A controller may assume that once a third party is instructed, the request is no longer its problem. That is wrong. The individual has exercised a right against the controller. The controller must be able to explain what was searched, why the search was reasonable and proportionate, what was withheld, what was disclosed, what was redacted, who made the decision and how the deadline was calculated.

The controller remains responsible

The ICO's right of access guidance is direct on this point. Controllers are responsible for complying with subject access requests. If a controller uses a processor, the controller must have a contractual agreement that allows it to deal with SARs properly, whether the request is sent to the controller or to the processor. The processor must help the controller meet its SAR obligations, and the agreement must make that clear.

That means the processor is not the decision-maker unless it is separately acting as a controller for its own purposes. In the ordinary outsourced SAR model, the processor assists with tasks such as locating material, applying agreed search terms, preparing review batches, proposing redactions, keeping logs, tracking deadlines and assembling the response. The controller remains responsible for the legal assessment and the final response.

This distinction matters because SAR handling is not only an administrative exercise. It involves legal judgment. The controller may need to decide whether information is personal data, whether it relates to the requester, whether it also relates to third parties, whether an exemption applies, whether clarification is reasonably required, whether a search is reasonable and proportionate, and whether disclosure would prejudice another protected interest.

Controller

Owns the right-of-access response, decides scope, exemptions, disclosure, redaction and final communication.

Processor

Acts on documented instructions, supports searches, review workflow, redaction preparation and response assembly.

Requester

Is entitled to a lawful, timely and intelligible response, not a process hidden behind outsourcing arrangements.

Selecting the processor

The starting point is due diligence. A controller should not appoint a processor merely because the provider is available or familiar. The processor should be able to give sufficient guarantees that it will implement appropriate technical and organisational measures, meet UK GDPR requirements and protect data subjects' rights.

For SAR outsourcing, due diligence should be practical. The controller should ask whether the processor understands the right of access, processor obligations, confidentiality, secure transfer, redaction quality, review logging, third-party data, privilege-sensitive material, deletion or return at the end of the engagement, incident reporting and sub-processor control. The provider's sales material is not enough. The controller needs evidence.

Where the request concerns employment disputes, litigation, whistleblowing, safeguarding, health records, regulatory complaints or professional advice, the selection exercise should be more exacting. These are not ordinary bulk-data exercises. They may involve sensitive personal data, allegations, protected material, legal professional privilege, confidential sources, vulnerable people or documents that could affect live proceedings.

01

Capability

Can the provider run secure searches, review large mixed datasets and produce a usable disclosure pack?

02

Confidentiality

Are reviewers trained and bound by appropriate duties when handling sensitive, privileged or third-party material?

03

Control

Can the controller audit the work, review decisions, obtain logs and stop unauthorised sub-processing?

Contract controls

Whenever a controller uses a processor, there must be a written contract or other legal act in place. For SAR outsourcing, the contract should not be a generic data protection appendix that nobody uses. It should connect directly to the work: what data is being processed, what systems may be searched, what instructions apply, how secure transfer will work, who may access the material, what logs must be kept, and what happens at the end of the engagement.

The ICO's contracts guidance lists core Article 28 controls, including processing only on documented instructions, confidentiality, security, sub-processors, assistance with individual rights, breach and DPIA support, deletion or return of data, and audit or inspection obligations. Those controls should be operationalised in the SAR workflow rather than copied into a contract and forgotten.

A strong SAR processing agreement should also address escalation. The processor should know when to stop and refer a point back to the controller. Examples include possible privilege, legally sensitive correspondence, third-party personal data, safeguarding material, suspected data breach, disagreement about scope, unclear requester identity, excessive requests, repeated requests, hostile correspondence or evidence that the request overlaps with litigation.

The contract should preserve decision-making control

The processor can support the search and review. It should not quietly decide what the requester is entitled to receive unless the controller has given clear instructions and retained oversight of the legal decision.

Search, scope and deadlines

SAR outsourcing frequently fails at the search stage. The processor may search the wrong systems, miss archived records, rely on over-narrow search terms, fail to identify personal data in emails, or produce large volumes without proper filtering. The controller may then be left with either an incomplete response or an unmanageable disclosure set.

Current ICO guidance states that organisations must make a reasonable and proportionate search. That requires reasonable efforts to find and retrieve requested information, while recognising that searches do not have to be unreasonable or disproportionate to the importance of providing access. The controller should still be able to show why a particular search was adequate or why a search would have been unreasonable or disproportionate.

Deadlines also need active control. The usual response period is without undue delay and at the latest within one month, subject to rules on identity, authority and limited fee situations. The period can be extended by a further two months where the request is complex or the person has made a number of requests. Since the 2025 reforms, the UK framework also recognises a stop-the-clock mechanism where clarification is reasonably required. That mechanism should not be used on a blanket basis to delay difficult requests.

Outsourcing does not make a request complex by itself. The ICO guidance expressly states that a request is not complex just because the organisation has to rely on a processor to provide information needed for the response. That is a critical operational point. A controller should not treat its own outsourcing model as a reason to weaken the right of access.

1

Receive. Record date, channel, identity position, authority and initial scope.

2

Map. Identify systems, custodians, processors, archives, search terms and likely sensitivity.

3

Review. Separate personal data, third-party material, exemptions, privilege and redactions.

4

Respond. Provide the disclosure, supplementary information, refusal reasons and complaint routes.

Exemptions, confidentiality and privilege

A major risk in outsourced SAR handling is over-disclosure. A processor may not understand legal professional privilege, confidential negotiations, third-party personal data, safeguarding sensitivity, regulatory material, management information or the distinction between a document that mentions a person and personal data to which the person is entitled.

The UK right of access is not an unrestricted right to every document in which a person is named. The ICO guidance explains that the right allows people to access their own personal information. They are not entitled to information about other people unless their own personal information also relates to those other people, or they are exercising another person's right on their behalf. Emails can be particularly difficult because only part of an email may be the requester's personal data.

Exemptions require discipline. The ICO guidance states that exemptions should be considered case by case, cannot be applied routinely or in a blanket fashion, and should be documented under the accountability principle. If a controller refuses to comply with a request, it must normally inform the requester of the reasons, their right to complain to the controller, their right to complain to the ICO, and their ability to enforce rights through the courts.

Privilege-sensitive files need special handling. Where a law firm or review provider is instructed to support SAR processing, the controller should identify privileged material early, separate legal advice from factual records, and avoid creating disclosure logs that accidentally reveal protected strategy. Privilege is not a label to apply casually, but neither should it be lost through poor outsourcing design.

Oversight and quality control

The controller should build quality control into the project. That means sampling searches, reviewing redactions, checking withheld categories, testing consistency across reviewers, recording instructions, tracking deadlines and ensuring the final response is intelligible. It also means making sure that the processor reports uncertainty rather than masking it.

Oversight is especially important where the processor has a continuing commercial relationship with the controller. A provider may be perceived as independent because it is external, but external status does not guarantee impartiality. The controller should address role clarity, decision authority, escalation routes and audit logs so that the response can withstand scrutiny if challenged by the requester, the ICO or a court.

Transparency to the requester should be handled carefully. The controller does not need to narrate every internal workflow step, but it should not mislead the requester about who is handling their data. Privacy information, processor arrangements and response communications should be consistent with the reality of the outsourcing arrangement.

The practical evidence test

The safest way to assess an outsourced SAR process is to ask whether the controller could prove what happened. If the requester complains, can the controller show when the request was received, what systems were searched, what terms were used, which processor worked on the material, what instructions were given, what was withheld, why it was withheld, what was redacted, when clarification was requested, and how the response deadline was calculated?

If the answer is no, the outsourcing model is too weak. A compliant process should leave an audit trail. It should show control rather than dependency, judgment rather than automation, and accountability rather than delegation by habit.

For controllers

Keep the processor agreement, instructions, search plan, deadline calculation, review log, exemption reasoning and final response.

For processors

Keep work logs, security records, reviewer allocation, redaction notes, escalation records and deletion or return confirmation.

For requesters

Keep the SAR, clarification correspondence, response pack, refusal reasons, redaction concerns and complaint correspondence.

Source anchors

These sources support the legal and regulatory framework used in this article. They do not prove any disputed complaint, breach or organisation-specific failure.

The Legal Lens point

Outsourcing SAR work can be lawful, efficient and sensible. It can also be dangerous if the controller treats the processor as a shield. The right of access is exercised against the controller. The controller must keep the judgment, the evidence and the accountability.

The practical rule is simple. Outsource capacity, not responsibility. Use processors for expertise, workflow and review support, but retain control over scope, search, exemptions, disclosure, redaction, deadline calculation and final communication. A SAR response that cannot be explained is a weak response, however impressive the outsourced platform may look.

SAR route and evidence map

If a subject access request, data disclosure dispute or outsourced review process needs structure, Legal Lens can help organise the documents, issues and practical route before complaint, correspondence or specialist review.

Identify the SAR issue

Clarify whether the problem concerns scope, delay, redaction, exemptions, processor handling, privilege or missing records.

Map the evidence

Organise the request, acknowledgement, clarification messages, response pack, redactions, refusal reasons and complaint trail.

Choose the route

Separate controller complaint, ICO complaint, correspondence, litigation sensitivity and specialist advice routes.

Issue map

Scope, search, processor control, exemptions, redactions and complaint route.

Evidence schedule

Requests, responses, logs, reasons, chronology and missing records.

Independent Legal Lens consultancy. Legal Lens is not a regulated solicitors' firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

Legal Lens publishes public-interest commentary and practical legal education. This article is not legal advice. SAR disputes may overlap with litigation, employment, whistleblowing, safeguarding, health records, privilege, confidentiality, data security, regulatory complaints and limitation issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar