DEV Community

Vhub Systems
Vhub Systems

Posted on

How to Use GDPR Subject Access Requests as Competitive Intelligence (Legally)

#webdev #startup #security #gdpr

GDPR Article 15 gives individuals the right to access all personal data a company holds about them. Most people use this to see what data Facebook has on them.

Savvier people use it as a competitive intelligence tool.

What a Subject Access Request Reveals About a Business

When you submit a SAR (Subject Access Request) to a company as a customer or user, they must disclose:

  • Every piece of data they hold about you
  • The sources of that data (did they buy it? From where?)
  • Who they have shared it with (data processors, third parties, analytics providers)
  • The purposes for processing
  • Their retention periods per category

For a competitor analysis, this tells you:

  • What analytics and tracking tools they use
  • Which data brokers and marketing platforms they buy from
  • Their complete marketing stack
  • What they know about their customers
  • Whether they have GDPR compliance gaps (useful if you compete on privacy)

Practical Example

I submitted SARs to 3 SaaS competitors as a free trial user. Here is what I learned:

Competitor A disclosed:

  • 47 third-party data processors (I expected ~10)
  • Data shared with: Salesforce, HubSpot, Amplitude, Segment, 6sense, Demandbase, Bombora
  • Bought my data from ZoomInfo and Apollo before I even signed up
  • Retention period: "indefinitely" (a GDPR violation — maximum is usually justified business need)

What this tells me: They have a sophisticated ABM stack (6sense + Demandbase + Bombora = expensive intent data). They are spending heavily on enterprise marketing. Their TAM focus is clearly enterprise.

Competitor B disclosed:

  • 11 third-party processors
  • Analytics: Mixpanel only
  • No third-party data purchases
  • Retention: 24 months post-churn

What this tells me: Lean product-led growth motion. Minimal outbound spend. Probably self-serve focused.

How to Submit a SAR

  1. Sign up as a free user (gives you data subject status)
  2. Email privacy@[company].com with "Subject Access Request" as subject
  3. Include your name, email, account ID
  4. They have 30 days to respond (GDPR requirement, extendable to 90 days for complex requests)
  5. They must provide data in a "structured, commonly used, machine-readable format"

Most companies respond via email with a PDF or JSON export.

The GDPR Compliance Gap Angle

If a competitor's SAR response reveals compliance gaps, that is a competitive positioning opportunity — especially if you sell to regulated industries (fintech, healthtech, legal).

Common gaps I have found:

  • "Indefinite" retention periods with no justification
  • Third-party sharing not mentioned in their privacy policy
  • Inability to provide data in machine-readable format (technical GDPR violation)
  • Response time over 30 days (technically a reportable breach)

None of these are worth reporting to the ICO maliciously — but they inform your positioning. If you can say "we are fully GDPR compliant" and they cannot, that matters in sales cycles.

Bulk SAR Analysis

For competitive research, I systematically SAR 10-20 companies per quarter. I track:

# SAR tracking spreadsheet structure
sar_data = {
    "company": "CompetitorX",
    "submitted_date": "2026-03-01",
    "response_date": "2026-03-28",  # 27 days - compliant
    "response_format": "JSON",
    "processors_count": 47,
    "data_brokers_used": ["ZoomInfo", "Apollo"],
    "analytics_tools": ["Amplitude", "Segment"],
    "marketing_tools": ["6sense", "Demandbase", "HubSpot"],
    "retention_policy": "indefinite",  # Red flag
    "compliance_issues": ["no_retention_limit"],
    "insights": "Heavy enterprise ABM stack, ~$50k+/mo marketing spend estimated"
}
Enter fullscreen mode Exit fullscreen mode

What You Cannot Do

  • Submit SARs under false identities (fraudulent misrepresentation)
  • Use SAR information to harm the company or individual employees
  • Mass-submit SARs to harass a competitor (abuse of process)
  • Share information received via SAR about other users (data received under SAR is for your own use)

Submitting as a genuine customer or trial user and using the response for your own competitive research: legal and legitimate.

The Scraping Connection

A SAR response often reveals a company is using scraping or data enrichment on you. I have received SAR responses from companies that contained:

  • My home address (scraped from public records, not given to them)
  • My Twitter/X follower count at time of signup
  • Inferred income bracket (enriched from consumer data)
  • LinkedIn headline and connections count

This tells you exactly what data they are collecting about prospects — potentially including your own customers.

Building a Privacy-First Competitive Position

If you operate in a regulated space and want to compete on trust:

  1. Run your own SAR to verify you are compliant
  2. Document all processors and update your privacy policy
  3. Implement proper retention limits and automated deletion
  4. Set up a SAR response workflow (tools exist for this)

Data Collection Toolkit — €29

Includes data collection tools designed with GDPR compliance built-in: audit trail of data sources, automated retention enforcement, and SAR response templates.

Have you ever submitted a SAR to a competitor? What surprised you most in the response?

Top comments (0)