Solution Atlas
EverydayUser storyConsultative playbook

Subject access requests take three weeks and the regulator wants three days

The privacy team is buried in subject access requests. Each request takes weeks of manual data hunting across Outlook, SharePoint, Teams, CRM, and HR. The regulator has begun citing the firm for slow responses. Microsoft Priva would automate the discovery step.

Trigger
Regulator pressure on SAR response time.
Good outcome
Priva live for SAR discovery, response time under 5 days, audit-defensible workflow.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Regulator has cited the firm for slow SAR response
  • ·SAR response time measured in weeks, not days
  • ·Privacy team performing manual discovery across Outlook, SharePoint, Teams, CRM, HR
  • ·No central SAR workflow — each request is bespoke
  • ·Volume rising year-on-year and the team cannot keep up

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.How many subject access requests do you process per year, and how is that trending?

    WhySizes the business case. Volume × per-request cost is the headline number.

    Listen for: “volume is doubling year on year” · “we cannot keep up” · “we are missing the regulator deadline regularly”

  2. 2.What is your current SAR response time, and what does the regulator require?

    WhyPinpoints the gap.

    Listen for: “three weeks today, regulator wants under 30 days” · “we are out of compliance” · “the regulator has cited us”

  3. 3.Which data systems must be searched for each SAR — Outlook, SharePoint, Teams, CRM, HR, others?

    WhyDrives the connector inventory. Priva covers M365 natively; non-M365 systems need adapters or manual handling.

  4. 4.Who performs SAR discovery today — Privacy, Legal, IT, or a mix?

    WhySurfaces the ownership model and the redirection of effort once Priva is live.

  5. 5.What review and redaction happens before the response is sent?

    WhyDiscovery is half the workflow — review and redaction is the other half. Sizes the human-in-the-loop scope.

  6. 6.How does the SAR workflow connect to deletion and rectification rights?

    WhySAR is one of several data subject rights; the architecture often covers all of them. Frames the broader investment.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

SAR fulfilment is manual. Privacy or Legal staff perform eDiscovery searches across Outlook, SharePoint, Teams, CRM, and HR for each request. Review and redaction is line-by-line. No central workflow — each SAR is bespoke. Response time measured in weeks. Audit trail patchy. Regulator has begun citing the firm for slow responses.

Typical concerns

  • ·Response time exceeds regulator expectations
  • ·Privacy team buried in manual data hunting
  • ·Audit trail of who searched what is patchy
  • ·Non-M365 systems (CRM, HR) need manual export
  • ·Volume rising and the team cannot keep up

Capability gaps

  • ·Central SAR workflow with case management
  • ·Automated discovery across M365 estate
  • ·Review and redaction tooling
  • ·Connector strategy for non-M365 systems
  • ·SLA tracking and regulator reporting
Target architecture

Microsoft Priva Subject Rights Requests runs the SAR workflow with case management, SLA tracking, and audit trail. Priva discovers content across the M365 estate using sensitivity labels for prioritisation. Review and redaction happens in Priva with reviewer assignment. Non-M365 systems integrated via connector or scheduled export. Privacy team shifts from manual data hunting to review and decision-making. Response time under 5 days.

Key capabilities

  • Central SAR case management
  • Automated M365 discovery
  • Reviewer-assigned redaction
  • SLA tracking with regulator reporting
  • Non-M365 connector strategy

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Priva licensing — Priva Privacy vs Priva Subject Rights Requests vs both

    Priva Subject Rights Requests only

    When it fitsSAR is the immediate pressure; broader privacy programme runs separately.

    Trade-offsNo risk management or data minimisation; SAR-only.

    Priva Privacy (full)

    When it fitsPrivacy programme is broader; data minimisation, risk management, and SAR all required.

    Trade-offsLarger commitment; longer enablement.

    Both as part of a Priva suite

    When it fitsMature privacy programme; the full suite is the strategic posture.

    Trade-offsCost. Pace of adoption needs careful sequencing.

    Default recommendationPriva Subject Rights Requests for the trial; Priva Privacy added in the next phase if the broader programme is in scope.

  2. Decision 2.Non-M365 system integration — manual export vs Power Platform connector vs custom integration

    Manual export

    When it fitsLow SAR volume from non-M365 systems; bespoke handling acceptable.

    Trade-offsManual effort persists; risk of incomplete responses.

    Power Platform connector

    When it fitsCRM, HR, or finance systems with Power Platform connectors; low-code feasible.

    Trade-offsConnector coverage varies; some systems lack connectors.

    Custom integration

    When it fitsHigh SAR volume from a specific non-M365 system; full automation worth the build.

    Trade-offsBuild cost; ongoing maintenance.

    Default recommendationManual export for the trial; Power Platform connector for the highest-volume non-M365 system in phase two.

  3. Decision 3.Review and redaction — Privacy-led vs Legal-led vs business-unit-led

    Privacy-led

    When it fitsStrong privacy function; redaction policy centralised.

    Trade-offsBottleneck risk as volume rises.

    Legal-led

    When it fitsLegal owns SAR responses end-to-end; redaction is part of the legal review.

    Trade-offsLegal becomes the bottleneck; slower turnaround.

    Business-unit-led with Privacy oversight

    When it fitsMature business units; Privacy provides templates and oversight.

    Trade-offsConsistency risk across business units.

    Default recommendationPrivacy-led with Legal sign-off on edge cases. Move toward business-unit-led with Privacy oversight as volume rises.

Low-risk trial — proof of value

45-day Priva SAR pilot for one business unit

6 weeks

Priva Subject Rights Requests enabled for the tenant. Pilot scoped to one business unit (typically HR or Customer Operations). Three to five live SAR cases run through Priva end-to-end with case management, M365 discovery, reviewer assignment, and audit trail. Non-M365 system handling documented as manual export with target connector identified for phase two. SLA tracking dashboard live.

Success criteria

  • Three to five SAR cases completed via Priva with audit trail
  • Response time under 5 days for the pilot business unit
  • Reviewer workflow operational with two named reviewers
  • SLA tracking dashboard with regulator-ready reporting

InvestmentPriva Subject Rights Requests is licensed per request and per user. Estimated ~€3–6k/month for the pilot scope. Existing manual SAR workflow continues outside the pilot business unit during trial.

Proof metrics

  • ·SAR response time under 5 days for pilot business unit
  • ·Three to five SAR cases completed through Priva with audit trail
  • ·Reviewer hours per SAR reduced 60%+ vs baseline
  • ·Audit-defensible workflow with reviewer attestation

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Sensitivity labels prioritise SAR discovery — labelled content surfaces first, accelerating review. Foundational for Priva to do meaningful triage.

Why for this story

The licence floor for Priva entitlements and the M365 estate Priva discovers across. Without M365 E3, Priva runs blind on the data sources that hold most of the SAR content.

Back to Privacy & consent