AI Sigil Logo
Contact Us
Back to all insights
A digital hourglass with binary code flowing through it

Sections

AI and the Evolution of Data Subject Access Requests

Ctrl+C, Ctrl+Comply: The Rise of AI-Enabled DSARs

In recent years, individuals’ awareness of their data protection rights has significantly increased, driven in part by high-profile litigation. This heightened awareness has contributed to a remarkable rise in the number of data subject access requests (DSARs) that organizations are receiving. A notable factor in this increase is the emergence of machine-generated requests, with generative AI facilitating the rapid production of detailed DSARs, thereby lowering the barrier to drafting complex demands.

The Changing Landscape of DSARs

This shift is not only reshaping the volume of DSARs but also their character, which in turn affects the operational playbook of data controllers. Understanding the anatomy of modern DSARs, the risks associated with overly broad scopes, and recent guidance from the UK Information Commissioner’s Office (ICO) can help organizations manage this surge in a way that is lawful, proportionate, and defensible.

AI in Practice: DSAR Breadth and Complexity

Under the UK GDPR and the Data Protection Act 2018, individuals are entitled to confirmation of processing and access to their personal data, including related information about sources, retention, and safeguards. While DSARs have always had the potential to be broad in scope, AI-generated requests now routinely extend beyond a simple inquiry of “what do you hold about me?” to seek every conceivable data type across various systems. This includes emails, attachments, messaging platforms, call notes, ticketing systems, HR files, CCTV footage, and access logs. Requests often demand disclosure of search parameters, relevant systems, and audit trails, as well as detailed explanations for any redactions or exclusions.

The implications of such broad requests can be significant. Organizations that lack a disciplined process may face sprawling, unfocused searches that generate high review costs and delays. Introducing even a small number of additional DSARs can quickly lead to management difficulties.

Identifying AI-generated DSARs

Organizations must not refuse to comply with an otherwise valid DSAR merely due to its tone, style, or the requester’s suspected use of AI. However, early recognition of the hallmarks of an AI-drafted request can assist in anticipating complexity, estimating effort, and engaging effectively with the requester. Common indicators of AI-drafted DSARs include:

  • Unusually formal or US-centric terminology that contrasts with the language typically used by the individual.
  • Exhaustive boilerplates listing every statutory right and exemption.
  • Scattergun assertions spanning multiple jurisdictions or citing inapplicable regimes.
  • Inconsistent personal details, pronouns, or formatting suggestive of pasted content.
  • Identical or near-identical text across multiple requests received in a short timeframe.

While none of these features are conclusive on their own, collectively they can signal that a request warrants closer scrutiny during the triage process.

What Organizations Can Do

Responding to all DSARs, whether AI-assisted or not, necessitates an understanding of the request and the ability to translate that understanding into a documented, reasonable, and proportionate search strategy. Under the Data (Use and Access) Act 2025, controllers must conduct reasonable searches rather than exhaustive trawls of all personal data held about the requester. This Act also allows controllers to “stop the clock” on the statutory deadline to seek clarification when a request is unclear or overly broad.

Early Engagement on Scope

If a DSAR resembles a “kitchen-sink” request, early engagement with the requester can be beneficial:

  • Ask the requester to clarify their specific needs, referencing particular systems, date ranges, or document types.
  • Explain that clearer parameters will facilitate focused searches and accurate responses.
  • Frame the interaction as a constructive dialogue, not as a delay tactic, while transparently communicating that the statutory timeframe is paused pending their response.

By effectively achieving early clarification on scope, organizations can provide proportionate, efficient, and accurate responses while minimizing the review of irrelevant materials, thus reducing the overall administrative burden associated with DSARs.

Document Decisions on Proportionality

Once an organization has determined what constitutes a reasonably proportionate search, it should document the selected scope, the systems included (and excluded), the factors considered, and the rationale linking those factors to relevant statutory provisions and regulatory guidance. This documentation is crucial in the current environment, as regulators are experiencing the impact of AI-assisted drafting, particularly evident in the rising number of complaints regarding DSAR handling.

The ICO’s latest reports confirm that complaints related to Article 15 UK GDPR remain the most significant category of data protection complaints, with numbers increasing annually. Similarly, Berlin’s Data Protection and Freedom of Information Commissioner noted a nearly 50% increase in data protection complaints in 2025 compared to 2024, attributing this surge primarily to AI.

Turning the Tables: Managing Modern DSARs

While AI contributes to the rise in DSARs and associated complaints, it can also serve as part of an organization’s compliance toolkit when implemented thoughtfully and with proper oversight. Organizations are increasingly adopting AI-driven solutions to streamline and scale components of their DSAR processes. AI platforms can automate data discovery and classification, efficiently searching across structured and unstructured sources to quickly and accurately identify relevant personal data, thereby reducing manual effort and minimizing human error.

By integrating these technologies with human review—essential for all DSARs, especially those with complex fact patterns—legal and compliance teams can turn the challenge of rising DSAR volumes into an opportunity to enhance efficiency, improve accuracy, and strengthen compliance across their organizations.

More Insights

A safety helmet worn by drone operators

Revolutionizing Drone Regulations: The EU AI Act Explained

December 17, 2025 AI,AI Regulation,Drone Technology,Regulatory Framework
The EU AI Act represents a significant regulatory framework that aims to address the challenges posed by artificial intelligence technologies in various sectors, including the burgeoning field of...
Read More
A safety helmet worn by drone operators

Revolutionizing Drone Regulations: The EU AI Act Explained

December 1, 2025 AI,AI Regulation,Drone Technology,Regulatory Framework
The EU AI Act represents a significant regulatory framework that aims to address the challenges posed by artificial intelligence technologies in various sectors, including the burgeoning field of...
Read More
A light bulb to convey innovation and the bright potential of responsible AI solutions.

Embracing Responsible AI to Mitigate Legal Risks

November 29, 2025 AI,AI Ethics,AI Governance,AI Regulation
Businesses must prioritize responsible AI as a frontline defense against legal, financial, and reputational risks, particularly in understanding data lineage. Ignoring these responsibilities could...
Read More
A traffic light to illustrate the need for clear guidelines and regulations in managing AI technologies.

AI Governance: Addressing the Shadow IT Challenge

November 29, 2025 AI,AI Governance,AI Regulation Awareness,Regulatory Compliance
AI tools are rapidly transforming workplace operations, but much of their adoption is happening without proper oversight, leading to the rise of shadow AI as a security concern. Organizations need to...
Read More
A roadmap illustrating the journey companies must take to align with AI regulations.

EU Delays AI Act Implementation to 2027 Amid Industry Pressure

November 29, 2025 AI,AI Regulation,EU Compliance,Regulatory Compliance
The EU plans to delay the enforcement of high-risk duties in the AI Act until late 2027, allowing companies more time to comply with the regulations. However, this move has drawn criticism from rights...
Read More
A semiconductor chip

White House Challenges GAIN AI Act Amid Nvidia Export Controversy

November 29, 2025 AI,AI Regulation,Artificial Intelligence Governance,Technology Policy
The White House is pushing back against the bipartisan GAIN AI Act, which aims to prioritize U.S. companies in acquiring advanced AI chips. This resistance reflects a strategic decision to maintain...
Read More
Compliance checklist

Experts Warn of EU AI Act’s Impact on Medtech Innovation

November 29, 2025 AI,EU Compliance,Medtech Innovation,Regulatory Compliance
Experts at the 2025 European Digital Technology and Software conference expressed concerns that the EU AI Act could hinder the launch of new medtech products in the European market. They emphasized...
Read More
A tree

Ethical AI: Transforming Compliance into Innovation

November 29, 2025 AI,AI Ethics,Ethical AI
Enterprises are racing to innovate with artificial intelligence, often without the proper compliance measures in place. By embedding privacy and ethics into the development lifecycle, organizations...
Read More
A warning sign

AI Hiring Compliance Risks Uncovered

November 29, 2025 AI,AI Compliance,AI Regulation,Regulatory Compliance
Artificial intelligence is reshaping recruitment, with the percentage of HR leaders using generative AI increasing from 19% to 61% between 2023 and 2025. However, this efficiency comes with legal...
Read More