Subject Access Requests on Microsoft 365: Using Priva to Stay Sane

A Subject Access Request lands in the inbox. "Please provide all personal data you hold on me." You've got a month. Where do you even start?

If you're a Microsoft 365 shop, that one email can mean searching thousands of mailboxes, SharePoint libraries, OneDrives, Teams channels, and Exchange calendars, and then reviewing every hit for third-party personal data before you hand anything over. Done by hand, it eats days. Done properly with Microsoft Priva, it takes hours.

This is a practical guide to both: what a SAR actually requires, and how Priva makes it workable.

What a SAR legally is

Under UK GDPR (and the Data Protection Act 2018), any living individual can ask for:

• Confirmation of whether you process their personal data
• A copy of that personal data
• Information about why you hold it, who you share it with, and how long you keep it

You have to respond within one calendar month. For complex requests, you can extend this by two months, but you must tell the requester within the first month, and have a genuine reason. The request is usually free (you can charge "a reasonable fee" only if it's manifestly unfounded or excessive, and in practice most lawyers advise against trying).

Importantly: you have to find the data. Not just email it to them. Not just the obvious stuff. Everywhere it exists, in any system you control.

Why SARs are painful on Microsoft 365 (without help)

A typical small business has personal data scattered across:

• Mailboxes (personal and shared)
• Calendar meetings and invites
• SharePoint document libraries
• OneDrive files
• Teams chat history and channel messages
• Forms responses
• Loop workspaces

The standard "eDiscovery" tools in Microsoft 365 can search these places, but they're designed for legal holds and litigation, not consumer privacy. You're driving a lorry to pick up a parcel.

Doing it manually goes like this:

1. Search Exchange for anything containing the requester's email
2. Search SharePoint and OneDrive for their name
3. Search Teams, which requires yet another tool
4. Review every hit for third-party personal data (GDPR says you can't just hand over emails that mention other people without redacting them)
5. Track what you've reviewed, what you've redacted, and why
6. Package it for delivery

Even a 20-person firm gets 200–2,000 hits for a regular SAR. A week of work is normal.

Enter Microsoft Priva

Priva is Microsoft's privacy management suite, sitting inside the Microsoft Purview portal. It's two products:

1. Priva Privacy Risk Management, ongoing policies that flag risky personal-data handling (data being emailed externally, excessive data hoarding, transfers between regions, etc.)
2. Priva Subject Rights Requests, the thing you want for SARs

For this guide we're focused on (2). What Subject Rights Requests does:

• You paste in the person's identifier (name, email, whatever you have)
• Priva searches every relevant place in your M365 tenant automatically
• It presents the hits in a single case view
• It flags items likely to contain third-party personal data, and offers redaction tooling
• It tracks approvals, time remaining, and what's been included/excluded, so you have an audit trail
• Final export is packaged for delivery to the requester

It replaces the manual scavenger hunt with a managed workflow built specifically for this.

Licensing, the bit that trips everyone up

Priva is an add-on to Microsoft 365. You need:

• A base Microsoft 365 or Office 365 licence (Business Standard / Premium, E3, E5, etc.)
• A Priva licence on top, separate for each of the two Priva products

Priva Privacy Risk Management

Usually a per-user-per-month subscription. You licence it for the users whose data interactions you want to monitor (practically, usually everyone who handles customer data, which is everyone).

Priva Subject Rights Requests, the per-request model

This is the one that surprises people. It's not per-user. It's per request. Microsoft sells it in tiers based on how many SARs you expect to handle per year, and you can top up mid-year if you burn through your allocation:

• A small-business tier (a handful of requests per year)
• Mid-market tiers with progressively more requests included
• Enterprise tiers for organisations handling dozens or more requests annually

The logic is that SARs aren't constant, a company might get zero for two years then three in a week. Pay-per-request matches the actual workload. Microsoft's service description is where current pricing sits, and we'll map your request history to the right tier when we quote.

What you don't get bundled by default: Priva is not included in Business Premium or E3 or even E5 as standard. E5 Compliance gets you a lot of Purview, but Priva's two products are add-ons. Budget for them separately.

Using Priva for a SAR: the short version

1. Create a new Subject Rights Request in the Priva portal. Pick "Access" as the request type (Priva also supports delete and export requests if you're operating under regimes like CCPA).
2. Enter the data subject's details, at minimum an email address; ideally any other identifiers (full name, phone number, employee ID) Priva can use to find matches.
3. Scope the search, usually all M365 data sources. You can exclude locations if needed.
4. Let it run, typically a few minutes for a small tenant, longer for larger ones.
5. Review the matches, Priva groups by location and content type, highlights third-party personal data for redaction, and lets you mark items as non-responsive (e.g. file-share accidents that are clearly not about this person).
6. Approve and package, when you're satisfied, you approve the request, Priva generates a final package, and you deliver it to the requester.

The whole thing is audit-logged: who searched, what was included, what was redacted, when it was sent. That audit trail is exactly what the ICO looks for if a requester escalates.

Privacy Risk Management, the quieter win

While you're licensing Priva anyway, the Privacy Risk Management piece is genuinely useful on an ongoing basis. Built-in policies flag:

• Personal data being emailed outside the organisation
• Too much personal data accumulating in one place ("data hoarding")
• Personal data being transferred between geographical regions (useful if you have data residency commitments)
• Sensitive data overshared in SharePoint / OneDrive

When a policy triggers, the user who caused it gets an email with remediation options ("would you like to remove external sharing?"). Most issues self-resolve without an admin ever getting involved.

Where we come in

For the firms we manage, we typically:

• Help scope Priva licensing for the expected SAR volume (paying for an enterprise tier you don't need is an easy mistake)
• Set up the initial Privacy Risk Management policies
• Configure role-based access so legal / HR / IT each see only what they need
• Run the first SAR with you end-to-end, then hand over
• Remain on-hand for tricky cases (former employees, shared mailboxes, deleted accounts where the data still lurks in backups)

If you're a regulated professional, an accountant or solicitor, this kind of tooling falls squarely inside our free Microsoft 365 monitoring offer. The monitoring platform surfaces Priva risk alerts alongside everything else happening in your tenant, so the privacy work stays joined up with the security work.

TL;DR

• SARs are legally required inside one calendar month
• Doing them by hand in M365 is painful
• Priva Subject Rights Requests is designed for exactly this, licensed per request, not per user
• Priva Privacy Risk Management handles day-to-day privacy hygiene, per user
• Neither is included by default in Business Premium or E3/E5, both are add-ons
• Get the licensing right before you receive the SAR, not during it

If a SAR has just landed and you don't know where to start, give us a call, we can have the right tooling in place within a day.