How To Build a DSAR Search Strategy That Actually Works

Navigating Special Cases in Personal Data for DSARs

Most DSAR teams do not have a search strategy. They have habits. Someone checks a mailbox. Someone emails IT. Someone searches a shared drive. Someone remembers an old archive. Someone forgets a crucial system. Every handler works from a different mental map

Most DSAR teams do not have a search strategy. They have habits. Someone checks a mailbox. Someone emails IT. Someone searches a shared drive. Someone remembers an old archive. Someone forgets a crucial system. Every handler works from a different mental map.

It used to scrape by. Today it does not. Under UK GDPR, DUAA and current ICO expectations, organisations must show why they searched certain systems, why they did not search others, and how that decision was reasonable and proportionate. Improvisation cannot produce that.

A modern DSAR programme needs structure. It needs templates, system maps and decision models that move teams away from guesswork and toward repeatable, documented logic.

Below is a practical way to build that structure.

The Core DSAR Search Problem

In many organisations, the typical DSAR search looks like this:
A handler reads the request, asks a couple of custodians for help, runs a simple name search in email, checks a shared drive and hopes they have not missed something important.

Scale makes this worse. HR, IT, IG, legal and frontline departments often run their own mini searches with their own rules. Results do not align. Gaps appear. Outcomes look arbitrary to requesters.

Public sector bodies feel this most sharply. Universities sit on decades of mixed archives. NHS bodies operate across sprawling clinical and appointment systems. Councils scatter data across line of business systems that no one person fully understands.

When teams cannot see the whole data landscape, they either search everything or search too little. Both cause problems. Both fuel complaints. Both burn out staff.

What the Law Actually Requires

DUAA has now formalised something the ICO has said for years. Controllers must conduct a search that is reasonable and proportionate. Not exhaustive. Not superficial. Reasonable and proportionate.

But that standard is not a shortcut. It needs evidence. The ICO expects documentation that shows:

  • What systems were searched

  • What systems were excluded

  • Why those choices were made

  • What date ranges and keywords were used

  • Which custodians were involved

  • Any constraints encountered

If each DSAR is handled as a unique, improvised effort, you cannot recreate this trail when challenged.

Why Search Templates Matter

Search templates are not admin. They are your defence. They force the decisions DSAR handlers often skip. They create consistency across teams. They remove guesswork around date ranges, custodians and keywords. They prevent unnecessary “search everything” sweeps that overwhelm redaction workloads.

They also create a narrative you can show a requester or investigator. Instead of “we looked in relevant systems”, you can show structured reasoning.

Well designed templates produce three things: clarity, consistency and credibility.

Four Templates Every DSAR Team Needs

1. Intake and Scoping Template

Captures context upfront. Employee, student, patient, customer or complainant. Captures clarifications. Flags risk areas. Defines early exclusions with a short explanation.

2. DSAR Search Map Template

A simple table listing systems by function. HR. Finance. Clinical. Student records. Case management. Email. Collaboration tools. It shows search method, custodian and default date range for each.

It replaces a handler’s memory with a predictable structure.

3. Custodian Selection Checklist

A short checklist that turns context into people. For employee cases, consider line manager, HR partner, union rep and colleagues. For student cases, consider tutors, advisors and complaints teams.

No more “oh, I forgot they were involved”.

4. Keyword Logic Template

Defines how keyword sets are chosen so the search is replicable. Includes formal names, nicknames, initials, case numbers, team names and topic terms.

It removes improvisation and provides defensibility.

What a DSAR System Map Really Is

A DSAR system map is not an IT diagram. It is a practical index of where personal data relevant to DSARs is stored and how to search it.

IT diagrams list servers and integrations.
A DSAR map lists:

  • HR core system

  • Recruitment portal

  • Payroll

  • Learning systems

  • Clinical or service delivery tools

  • Shared drives

  • Appeal or complaints portals

  • Email and collaboration tools

With notes on how to search them, what defaults apply and which contexts make them relevant.

This makes proportionality possible. It helps teams explain why they did not search an obscure application that adds no value to the requester’s case. It stops “search everything” panic.

How To Build a System Map

1. Start with real processes

Recruitment. Admissions. Clinical care. Tenancy. Complaints. Case management. Map the systems used, the custodians and the data flows in each.

2. Capture where staff actually look

Talk to DSAR handlers. They will reveal shared mailboxes, side spreadsheets and shadow archives that never appear on formal architecture lists.

3. Define proportionality rules

For each system, state:

  • Always search

  • Search for specific contexts

  • Generally exclude unless justified

Anchor these rules in DUAA and ICO guidance. That is what makes them defensible.

A living map reduces unnecessary trawls and the risk of missing critical systems.

The Three Tier DSAR Decision Model

A practical, repeatable model for every DSAR:

Tier 1. Context

Why is the person engaging? What relationship matters?
Employee, student, patient, tenant or complainant.
Capture and clarify early. Pause the clock if needed.

Tier 2. Data Flows

Use the system map to identify where data for that relationship sits.
Search systems connected to the requester’s actual engagement, not theoretical possibilities.

Tier 3. Proportionality

Decide what to include, what to exclude and why.
Document the rationale.

This turns proportionality into a clear decision pathway rather than an excuse.

What Scaling Looks Like

You cannot scale DSAR search by relying on a few experts. You scale by distributing the logic.

DSAR pods

Small groups aligned to themes like HR, students or clinical care. They use the same templates and the same map.

Shared templates

HR, IG, legal and IT all capture searches in the same structure. This is essential when the ICO asks for evidence.

Custodian training

Teach system owners how to run DSAR searches properly and record what they did.

Automated discovery with human control

Use tools to highlight where the requester’s data is likely to be. A DSAR lead still approves the final scope. Human accountability remains central.

Sampling QA

Quarterly review of random DSAR files. Check whether the map was followed, templates completed and proportionality documented.

Common Mistakes That Undermine DSAR Searches

  • System maps created once and never updated.

  • Templates filled with meaningless notes.

  • Overreliance on the memory of a single senior handler.

  • No documentation of search exclusions.

  • HR, IT and IG teams interpreting proportionality differently.

All of these weaken defensibility.

A Simple Three Step Rollout Plan

1. Design and pilot

Create your first version of the map and templates. Test them across a small number of cases. Capture friction.

2. Standardise and embed

Adopt the three tier model across departments. Embed templates in workflow tools so they cannot be skipped.

3. Monitor and improve

Quarterly QA. Light updates to the map. Periodic custodian training. Feed lessons learned into the model.

How DSAR.ai Supports This Strategy

DSAR.ai was built for organisations that want strong, structured and defensible DSAR searches without overwhelming their teams.

Automated system mapping

The platform surfaces where personal data actually lives and keeps the map current as systems evolve.

Context-based keyword suggestions

Intake narratives are translated into targeted keyword patterns that improve recall while limiting noise.

In-workflow templates

Intake, scoping and search templates are embedded directly in the DSAR workflow. Handlers cannot close a case without capturing decisions.

Audit-ready logs

Every search inclusion, exclusion, constraint and parameter change is recorded automatically. You can export it straight into a DSAR file.

Less guesswork. More defensibility. Lower burnout.

Structured search removes the cognitive load that leads to errors and complaints. It also aligns teams with DUAA and ICO expectations in a way that is easy to demonstrate.

If the goal is not a bigger search but a better one, DSAR.ai gives teams the structure to get there.