Back to blog

20/11/2025

Author

{hs_id=157098678301, hs_child_table_id=0, linkedin_profile_link=https://www.linkedin.com/in/hughcaldwell/, hs_updated_at=1726564666922, hs_published_at=1758111967567, company_link=https://www.linkedin.com/company/texaport/, profile_picture={url=https://8102708.fs1.hubspotusercontent-na1.net/hubfs/8102708/chub_backup/Hugh.jpeg, width=800, height=800, altText=Hugh Caldwell profile picture, type=image}, hs_initial_published_at=1758111837250, job_description=Director @ Texaport | IT Solutions, Cyber security, hs_created_by_user_id=9450912, hs_created_at=1708023810859, hs_is_edited=false, hs_deleted_at=0, name=Hugh Caldwell, company=Texaport , hs_updated_by_user_id=70585216}
Hugh Caldwell

Director @ Texaport | IT Solutions, Cyber security

Texaport

Defending against weaponised subject access requests: How to protect your business

Subject Access Requests (SAR) ensure that individuals keep control of the data they’ve entrusted to organisations. They’re a vital part of the trust-building transparency at the heart of the UK GDPR and Data Protection laws. SARs, also known as Data Subject Access Requests (DSAR), give people the right to know what personal information an organisation holds about them. However, what was introduced to ensure fairness and accountability is now being used strategically in ‘Weaponised SAR’.

 

Table of contents
  1. What is a ‘weaponised SAR’?
  2. Does the new Data Use and Access Act (DUAA) stop weaponised SAR?
  3. The real-world impact of weaponised SARs on businesses
  4. The hidden costs of SARs
  5. Why disparate IT systems make SAR more complex
  6. Using subject access requests to create a competitive advantage
  7. Establishing a culture of openness and good governance

 

While the new Data Use and Access Act (DUAA) will curb some abuses, it won’t entirely stop weaponised SAR.

The best defence is to have IT systems that enable effective data governance and management. Data becomes more traceable and accessible, streamlining your response to SARs. In this article, we’ll examine the practical steps to achieve this and explore how this also bolsters your UK GDPR compliance, demonstrating your commitment to safeguarding personal data.

First, we’ll look at the most common forms of weaponised SARs.

 

What is a ‘weaponised SAR’?

SARs become weaponised when they are used strategically, for example, by:

  • Disgruntled employees looking for leverage against the organisation or evidence for legal proceedings
  • Groups of individuals purposely obstructing an organisation with mass requests
  • In bulk by Claims Management Companies
  • Criminals hoping to gain information they can use in phishing or fraud

The overall number of SARs is surging, growing 11% over the last year alone, with Scottish local authorities facing a 68% rise between 2021 and 2024.

With increases at this level, the time it takes to deal with requests soon mounts up. Some larger companies now have so many that they’ve established a dedicated SAR team. This is not an option for smaller businesses that must divert employees, typically from HR and IT, from their day-to-day tasks.

 

Does the new Data Use and Access Act (DUAA) stop weaponised SAR?

The new Act made some amendments to the SAR regulations, introducing some protection against the worst abuses.

However, it does not stop their weaponisation altogether. In particular, it does not prevent SARs from being used as a pre-litigation fishing exercise. While organisations can refuse requests that are ‘manifestly unfounded or excessive’, the burden of proof and bureaucracy remains with the organisation.

According to Roy Magara, Employment Solicitor and Director at Magara Law, the rise of so-called “weaponised” subject access requests reflects something deeper than misuse of the GDPR. It reflects a serious breakdown of trust in workplace relationships.

“In employment disputes, DSARs are rarely driven by malice,” Roy explains. “They usually appear when an employee feels shut out of the process, whether that’s a grievance, redundancy, or disciplinary. It’s less about aggressively weaponising data, and more about seeking transparency when communication has failed.”

Law firms themselves are increasingly aware of how data governance affects employee relations and client trust, which is why many now prioritise secure, compliance-focused IT support for law firms to ensure their own systems can handle SARs effectively.

 

The real-world impact of weaponised SARs on businesses

Whatever the motive for a SAR, the breakdown of trust between employer and employee can have a considerable impact on an organisation. The extent of that impact depends on the complexity of the request and the number of employee hours it takes to respond. In the most difficult cases, employees are diverted from day-to-day duties, affecting productivity and operations.

Here’s what the process might be like for a small to medium-sized business:

1. An unhappy employee launches an SAR

Suppose an employee is accused of misconduct, leaves their job, and begins legal proceedings against their former employer, a small financial services company. They ask for copies of all their personal information, hoping to find a ‘smoking gun,’ such as emails or Slack messages discussing the case outside the legal framework.

2. Searching for records across multiple systems is complex

While the business suspects it is a fishing expedition by the employee, it is obliged to supply the information within 30 days. This could span thousands of emails, records, meeting notes, and HR investigations. As the employee was accused of misconduct, it could also include client interactions and involve other people’s personal information.

From an employment law perspective, Roy Magara points out that motive is legally irrelevant. Courts have made it clear that individuals are entitled to access their data, even if their real purpose is to assist in litigation. For employers, this means that refusing or delaying a response can not only invite scrutiny from the ICO but also undermine credibility if the dispute later reaches an Employment Tribunal.

3. Disparate systems add to the problem

The company doesn’t have a centralised IT system, so information is fragmented and siloed. Some data is replicated across several databases, with older records in paper files. First identifying and then locating all the information is a time-consuming process.

4. Day-to-day operations are disrupted

The company’s in-house IT manager is tied up locating information and is slower to respond to employee access issues or software downtime.

 

The hidden costs of SARs

There is generally no charge for individuals submitting a request. The cost to an organisation can be considerable: lost employee time, legal advice and expenses, and a possible fine or reprimand from the ICO if compliance falls short.

Here’s how the costs quickly mount up:

1. SARs take up employee time

The data retrieval process can be lengthy and complex. After identifying the personal data an organisation holds on an individual, the IT team must carry out a forensic search of emails, messages, and other digital records.

Without a unified IT system, this must be done manually. If data is replicated across different systems and departments, it has to be deduplicated.

2. Additional expenses from outsourced business functions

Without specialist in-house knowledge, organisations may have to outsource eDiscovery teams. Smaller companies may already have outsourced IT support and HR services, where additional hours are billable by request.

3. Expert legal advice is needed

The company’s SAR process must comply with Data Protection and GDPR. If the data includes sensitive information about clients or other employees, these details must be redacted or anonymised for data protection.

Failure to redact can lead to a UK GDPR compliance issue and a fine or reprimand from the ICO. Expert legal advice ensures organisations comply and is especially useful in complex cases and employment disputes.

4. Risk of reputational damage

Many organisations struggle to answer SARs within the thirty-day timeframe, but the ICO has cracked down on non-compliance. Recent reprimands were issued to the Glasgow City Council and the City of Edinburgh Council.

5. Greater business impact for some sectors

Keeping the personal data you hold to a minimum and only for as long as necessary is a UK GDPR Principle. However, some sectors, such as healthcare, must keep records for 8 years or even longer. With more records to search through, meeting the SAR deadline is more challenging. Employees are diverted from usual business operations for longer, impacting workflows and productivity.

Organisations that collect Special Category Data, highly sensitive information such as race, ethnicity, or religious beliefs, may need legal guidance on what must be withheld or redacted. This may also apply to documents such as counselling notes or social work records, or information that affects legal proceedings.

 

Why disparate IT systems make SAR more complex

Organisations may be allowed an extension in complex cases, but as soon as an organisation receives a SAR, the clock starts ticking down to the deadline. Businesses that have fragmented, siloed data in disparate systems face challenges gathering information in time:

 

Using subject access requests to create a competitive advantage

Readily accessible data is the basis for a streamlined SAR process and the first defence against weaponised SAR. It is the foundation for improved data governance and management, enabling regulatory compliance while reducing the risk of a data breach or security incident. It also helps establish a culture of transparency and open communication.

“An organisation that looks obstructive in its data practices often looks obstructive in its management practices too,” Roy notes. “Handling DSARs fairly and transparently isn’t just about compliance. It’s about reputation and culture.”

Conversely, employers that maintain transparent processes and clear data governance tend to face fewer adversarial requests.

“SARs are often a barometer of culture,” he adds. “When employees trust how decisions are made, they rarely feel the need to use data laws to get answers. The best way to prevent so-called weaponisation is to invest in openness and good governance from the start.”

“An organisation that looks obstructive in its data practices often looks obstructive in its management practices too. Handling DSARs fairly and transparently isn’t just about compliance. It’s about reputation and culture.”

Roy Magara Founder, Magara Law

 

 

Establishing a culture of openness and good governance

Data that is accessible across an organisation is also more traceable and secure.

As Texaport’s Director, Hugh Caldwell says,

“Having seen first-hand through our client base how a weaponised Subject Access Request can disrupt a business, it has reinforced for me the critical importance of having robust data security policies in place. At Texaport, we pair this with a strategic partnership with an industry-leading law firm that provides outsourced HR and legal support. This means that, should the worst happen, we have both the legal expertise and the technical resilience to respond swiftly and compliantly. By aligning our own business systems solely within the Microsoft ecosystem, we ensure our data is secure, discoverable, and efficiently managed, significantly reducing risk and cost in these scenarios.”

The first step?

Discovering how to convert your IT environment into one that supports more visible, accessible data, boosts regulatory compliance, and streamlines SAR processes:

1. Understand your current IT environment

An IT audit is a comprehensive inventory of your systems, pinpointing how well they support your business goals and operations. It will also detect any compliance or security issues.

2. Streamline your systems

An IT audit will also identify a clear roadmap forward, suggesting compatible applications that replace disparate, hard-to-connect systems. For example, an organisation that currently relies on core business applications supplied by multiple vendors might choose to migrate to a compatible suite of Microsoft services.

3. Make data more accessible

Integration between compatible systems breaks down information silos and reduces fragmentation, making data quicker and easier to find.

4. Improve regulatory compliance and reduce risk

More visible data improves data governance and management. Organisations can keep track of the information they hold and quickly answer SARs.

A GDPR consultation will detect any compliance gaps and establish processes, such as patching and regular backups, that help to safeguard data.

“Having seen first-hand through our client base how a weaponised Subject Access Request can disrupt a business, it has reinforced for me the critical importance of having robust data security policies in place.”

Hugh Caldwell Director, Texaport

 

Subject Access Requests give people control over their data. When organisations respond quickly, they are a route to enhancing openness and building trust. However, a few people will always try to use them strategically, ‘weaponising’ them against organisations.

The best defence is preparation, establishing processes for a rapid response. Unified IT systems are the foundation, ensuring data is easily traceable and accessible while strengthening UK GDPR compliance.

If your organisation wants to strengthen its compliance posture and better manage legal data challenges, Texaport is here to help with our compliance services. With our security-first approach, deep technical expertise and strategic legal partnerships, we ensure your data remains secure, discoverable and compliant across every system. Contact us today to find out how we can support you.

Power your progress

Join forces with us to build a stronger IT infrastructure, protect your data, and focus on your future.

Talk to our experts