Data Privacy Week: Dealing with data breaches and SARs

With Data Privacy Week spanning from 24 – 28 January, Briefed want to join the international effort to create awareness about data privacy and the pitfalls affecting the legal industry.

Throughout 2023, we advised law firms and chambers across the UK on dozens of data breaches. The vast majority of these breaches came from simple human errors that can happen to anyone, but it is vital to know that when small mistakes do occur, what action needs to be taken.

What to do if you have had a data breach

Your first step is to contain the breach and take steps to make sure it can’t happen again. You can do this by assessing the severity of the breach, checking:

  • What data is involved – is there any special category data affected? (health, race, sexual orientation).
  • The risk to individuals and other third parties.
  • What harm may be caused to the organisation (employees, shareholders, reputation etc).
  • Were any security measures in place, such as passwords or encryption keys? You may be able to note this as a ‘near miss’ when sufficient protections prevent data from being accessed.

The ICO states that it is crucial when dealing with a breach, that the commercial considerations of the organisation never outweigh the obligations to protect individuals. The principle of protecting individuals’ data is of the utmost importance.

In light of this, if you feel that any of the following are a possibility

Top reasons for requesting a SAR

Similarly in recent years, we have seen a notable increase in the number of Subject Access Requests (SARs) received by chambers and other organisations. There could be a host of reasons why this surge has occurred, however it can be attributed to the ever-growing emphasis on data protection in public consciousness.

Three specific groups have emerged as the main contributors to the bulk of recent subject access requests:

Dissatisfied Clients – Often, an overly litigious client who is frustrated with the result of their case will make a SAR in an attempt to find a fault.

Rejected Pupillage Applicants – SARs are now increasingly being used as a means of obtaining interview notes, feedback and internal correspondence relating to an individual’s application.

Former Employees or Barristers – More ex-employees are seeking copies of all documentation that references them, thus creating a considerable admin task for Chambers. It can take weeks to sift through countless emails and documents in attempts to fulfil their request.

What to do if you receive a Subject Access Request (SAR)

Clarify the request:

Is the request actually a SAR – they have no specified format and may not even use the words ‘Subject Access Request.’ Also identify the individual making the request. You can do this by requesting photo ID, ensuring you are sure about their identity before sharing personal data.

Act immediately:

You have one calendar month to respond to the SAR in full.

  • Circulate the request among all relevant parties to identify and obtain all data held on the individual – This is not limited to paper records.
  • Consult your retention policy – how long have you held data on this individual?
  • Ensure all avenues are checked – archives, deleted emails, redundant servers.

Consider third parties:

You may need to check what information other parties you regularly share information with hold on the data subject. Also consider whether the requested documentation contains personal data of third parties – have they consented to this being shared?

Seek professional advice:

  • Before sharing any information, there are circumstances where you can and should refuse to share information.
  • If you need to, apply for a time extension on fulfilling the request.

DPO service offer – Get in touch

As a result of this notable increase in SARs, Briefed are now offering a Data Protection Officer (DPO) support service. With this service, we will be able to aid you in navigating any queries you may have regarding GDPR, SARs or data breaches.

We offer specialist assistance and advice, including:

  • Reviewing current GDPR policies you have in place.
  • Creating work flowcharts to provide an overview of key data protection processes.
  • Creating necessary policies and documents that are not currently in place.

If you would like further information on how we can support you with these issues, feel free to contact us by email at or contact us on 028 9621 634.


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation