In our role as DPO for a large number of busy GP practices, we are hyper aware of the importance of how organisations handle subject access requests. This process is about trust, transparency and accountability.

Staying on the right side of compliance means

(1) monitoring disclosure requests

(2) actively engaging with your Data Protection Officer (DPO)

(3) avoiding the “radio silence” trap.

1. Monitoring Disclosure Requests

A subject access request a request under the right of access (often called SAR or sometimes DSAR) under the Information Commissioner’s Office (ICO)’s guidance and the Data Protection Act 2018/UK General Data Protection Regulation framework. For example:

• The ICO emphasised that subject access requests are fundamental right

• Organisations must respond to a SAR within one month (extendable to three months in certain circumstances).

  
  

So what does “monitoring disclosure requests” really mean in practice?

• Tracking receipt: Ensure that any request is logged immediately, date, requester, nature of request.

• Status monitoring: Have visibility over each request’s stage (acknowledged, assessed, data retrieval, redaction, response).

• Timeliness: Ensure deadlines are met (or properly extended) and the organisation is not sitting on requests.

• Quality & completeness: Ensure the disclosure is correct, not just “something thrown together” in a rush.

• Post-response follow-up: Did the requester accept the disclosure? Is there a dispute / complaint?

• Trend analysis: Are you getting a lot of requests? Are certain types of records repeatedly involved? Are there backlogs creeping up?

  
  

Why is this so important?

• It’s a legal requirement and ignoring it risks enforcement (and in extreme cases, criminal prosecution).

• It’s a reputational issue so if people can’t access their personal data, or worse, you are seen to be hiding or delaying it, trust erodes.

• It’s a data governance indicator; how you handle requests tells you how mature your records, archiving and retrieval systems are.

  
  

2. Engaging with Your DPO

Your DPO (whether internal or outsourced) is far more than a “tick-box” compliance role.

They are the adviser, the watchdog, the escalation point and the interface between the organisation and regulation. Here’s how engaging with them strengthens your disclosure-request monitoring and overall data-protection posture:

• Early involvement: If the request seems complex or contentious, the DPO should be notified. They help assess complexity (are there third-party rights? Sensitive data? Exemptions?), guide the timeline, and help ensure staff follow the right process.

• Process design & review: The DPO should help design or review your disclosure-process workflows, escalation triggers, reporting dashboards.

• Training & awareness: The DPO can support training so staff recognise when a disclosure request arrives (it might not be labelled “SAR” any request for “all the data you hold about me” could count).

• Risk assessment & mitigation: Together with the DPO, you should identify the risks of non-compliance (delays, incomplete disclosures, tampering concerns) and put mitigations in place.

• Escalation & external liaison: If things go wrong (e.g., you discover records have been deleted, tampered with, or you face complaint/enforcement), the DPO should be involved as lead for regulatory liaison, internal investigation and remediation.

When organisations treat the DPO as a reactive person only (i.e., they only get involved if “there is a problem”), they miss this proactive protection layer.

3. No Radio Silence

“Radio silence” in this context means ignoring, delaying without reason, or not properly communicating around disclosure requests and data rights. Why is this absolutely dangerous?

• Escalation of harm: A delayed or inadequate response may lead to a complaint to the ICO, which can drive an investigation, enforcement notice or significant fine.

• Trust breakdown: Stakeholders (data subjects, regulators, the public) lose faith when requests are met with silence or obfuscation.

• Hidden signals: Radio silence often means there is a deeper problem, e.g., you don’t know where records are, you lack retrieval systems, you have unclear process ownership.

• Missed learning: Without communication and review, you won’t learn what causes delays/backlogs, risk of repeat failures.

  
  

What to do to avoid radio silence:

• Acknowledge immediately: When a request arrives, send a quick acknowledgement to the requester (even if full response will take time).

• Stay in communication: If you need an extension (for a complex request), tell the requester, say why, and give an estimated timeframe.

• Internal escalation: If a deadline is at risk of being missed, escalate internally via the DPO/lead - but keep communicating with the requestor.

• Document everything: Log communications, reasons for delay, decisions about redactions/exemptions.

  
  

Final Thought

The risk landscape has shifted. What used to be “maybe we’ll get a slap on the wrist” is now “prosecution, personal liability, serious reputational damage”. The message from the ICO is clear: responding to disclosure requests is a fundamental right, and organisations must treat it accordingly.

Don’t let your organisation be the next cautionary example. Make monitoring real, engage your DPO, and keep the lines open, no radio silence.