Solution Atlas
EverydayUser storyConsultative playbook

Subject access requests take three weeks and the regulator wants three days

The privacy team is buried in subject access requests under GDPR. Each request takes weeks of hunting through Outlook, SharePoint, Teams, the CRM, and HR records by hand. The regulator has started citing the company for slow responses. Microsoft Priva would automate the search step.

Trigger
Regulator pressure on subject access response times.
Good outcome
When a subject access request comes in, the search runs automatically across every system. The team reviews the results, redacts what's needed, and responds in under five days instead of three weeks.
Discovery — signals and questions

Signals validating this story

  • ·Regulator has cited the firm for slow SAR response
  • ·SAR response time measured in weeks, not days
  • ·Privacy team performing manual discovery across Outlook, SharePoint, Teams, CRM, HR
  • ·No central SAR workflow — each request is bespoke
  • ·Volume rising year-on-year and the team cannot keep up

Discovery questions

  1. 1.How many subject access requests do you process per year, and how is that trending?

    WhySizes the business case. Volume × per-request cost is the headline number.

    Listen for: “volume is doubling year on year” · “we cannot keep up” · “we are missing the regulator deadline regularly”

  2. 2.What is your current SAR response time, and what does the regulator require?

    WhyPinpoints the gap.

    Listen for: “three weeks today, regulator wants under 30 days” · “we are out of compliance” · “the regulator has cited us”

  3. 3.Which data systems must be searched for each SAR — Outlook, SharePoint, Teams, CRM, HR, others?

    WhyDrives the connector inventory. Priva covers M365 natively; non-M365 systems need adapters or manual handling.

  4. 4.Who performs SAR discovery today — Privacy, Legal, IT, or a mix?

    WhySurfaces the ownership model and the redirection of effort once Priva is live.

  5. 5.What review and redaction happens before the response is sent?

    WhyDiscovery is half the workflow — review and redaction is the other half. Sizes the human-in-the-loop scope.

  6. 6.How does the SAR workflow connect to deletion and rectification rights?

    WhySAR is one of several data subject rights; the architecture often covers all of them. Frames the broader investment.

Baseline architectureTarget architecture
Baseline architecture

SAR fulfilment is manual. Privacy or Legal staff perform eDiscovery searches across Outlook, SharePoint, Teams, CRM, and HR for each request. Review and redaction is line-by-line. No central workflow — each SAR is bespoke. Response time measured in weeks. Audit trail patchy. Regulator has begun citing the firm for slow responses.

Typical concerns

  • ·Response time exceeds regulator expectations
  • ·Privacy team buried in manual data hunting
  • ·Audit trail of who searched what is patchy
  • ·Non-M365 systems (CRM, HR) need manual export
  • ·Volume rising and the team cannot keep up

Capability gaps

  • ·Central SAR workflow with case management
  • ·Automated discovery across M365 estate
  • ·Review and redaction tooling
  • ·Connector strategy for non-M365 systems
  • ·SLA tracking and regulator reporting
Target architecture

Microsoft Priva Subject Rights Requests runs the SAR workflow with case management, SLA tracking, and audit trail. Priva discovers content across the M365 estate using sensitivity labels for prioritisation. Review and redaction happens in Priva with reviewer assignment. Non-M365 systems integrated via connector or scheduled export. Privacy team shifts from manual data hunting to review and decision-making. Response time under 5 days.

Key capabilities

  • Central SAR case management
  • Automated M365 discovery
  • Reviewer-assigned redaction
  • SLA tracking with regulator reporting
  • Non-M365 connector strategy
Architecture decisions
  1. 1.Priva licensing — Priva Privacy vs Priva Subject Rights Requests vs both

    Priva Subject Rights Requests only

    Fits whenSAR is the immediate pressure; broader privacy programme runs separately.

    Trade-offsNo risk management or data minimisation; SAR-only.

    Priva Privacy (full)

    Fits whenPrivacy programme is broader; data minimisation, risk management, and SAR all required.

    Trade-offsLarger commitment; longer enablement.

    Both as part of a Priva suite

    Fits whenMature privacy programme; the full suite is the strategic posture.

    Trade-offsCost. Pace of adoption needs careful sequencing.

    Default recommendationPriva Subject Rights Requests for the trial; Priva Privacy added in the next phase if the broader programme is in scope.

  2. 2.Non-M365 system integration — manual export vs Power Platform connector vs custom integration

    Manual export

    Fits whenLow SAR volume from non-M365 systems; bespoke handling acceptable.

    Trade-offsManual effort persists; risk of incomplete responses.

    Power Platform connector

    Fits whenCRM, HR, or finance systems with Power Platform connectors; low-code feasible.

    Trade-offsConnector coverage varies; some systems lack connectors.

    Custom integration

    Fits whenHigh SAR volume from a specific non-M365 system; full automation worth the build.

    Trade-offsBuild cost; ongoing maintenance.

    Default recommendationManual export for the trial; Power Platform connector for the highest-volume non-M365 system in phase two.

  3. 3.Review and redaction — Privacy-led vs Legal-led vs business-unit-led

    Privacy-led

    Fits whenStrong privacy function; redaction policy centralised.

    Trade-offsBottleneck risk as volume rises.

    Legal-led

    Fits whenLegal owns SAR responses end-to-end; redaction is part of the legal review.

    Trade-offsLegal becomes the bottleneck; slower turnaround.

    Business-unit-led with Privacy oversight

    Fits whenMature business units; Privacy provides templates and oversight.

    Trade-offsConsistency risk across business units.

    Default recommendationPrivacy-led with Legal sign-off on edge cases. Move toward business-unit-led with Privacy oversight as volume rises.

Low-risk trial — proof of value

45-day Priva SAR pilot for one business unit

~6 weeks

Priva Subject Rights Requests enabled for the tenant. Pilot scoped to one business unit (typically HR or Customer Operations). Three to five live SAR cases run through Priva end-to-end with case management, M365 discovery, reviewer assignment, and audit trail. Non-M365 system handling documented as manual export with target connector identified for phase two. SLA tracking dashboard live.

Success criteria

  • Three to five SAR cases completed via Priva with audit trail
  • Response time under 5 days for the pilot business unit
  • Reviewer workflow operational with two named reviewers
  • SLA tracking dashboard with regulator-ready reporting

InvestmentPriva Subject Rights Requests is licensed per request and per user. Estimated ~€3–6k/month for the pilot scope. Existing manual SAR workflow continues outside the pilot business unit during trial.

Proof metrics

  • ·SAR response time under 5 days for pilot business unit
  • ·Three to five SAR cases completed through Priva with audit trail
  • ·Reviewer hours per SAR reduced 60%+ vs baseline
  • ·Audit-defensible workflow with reviewer attestation

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Back to Privacy and consent