The $1B DSAR Problem

By Matt Pollins (Co-Founder @ Lupl) and Andy Edler (VP, Legal Service @ TCDI)

With thanks to David Varney (Partner, Ashfords)

What are DSARs?

Data Subject Access Requests (DSARs) are a core privacy right under laws like the EU/UK GDPR. They allow individuals (data subjects) to request a copy of the personal data an organization holds about them and information on how it is used. In essence, a DSAR lets you “access” your data to check that a company is handling it lawfully. Organizations typically have a short timeframe – usually around one month – to respond to a DSAR, unless an extension applies. This makes DSAR compliance a time-sensitive obligation for businesses.

The Problem with DSARs

DSARs have become one of the biggest headaches in data protection today. Here’s why:

• Soaring Volumes: DSAR requests are surging year-over-year. In the UK alone, the Information Commissioner’s Office (ICO) received more than 15,300 DSAR-related complaints in 2023, a 13.5% rise from the prior year. DSAR issues are now the number one cause of data protection complaints to the ICO, accounting for roughly 40% of all complaints. And that’s just the tip of the iceberg – experts note the actual number of DSARs submitted is far higher (likely well into the millions annually in the UK).

• Resource Burden: What should be a simple right has become expensive, resource-intensive and troublesome for many organizations. Satisfying a DSAR means scouring every system (emails, databases, documents) for an individual’s data, reviewing thousands of records, and carefully redacting others’ information. It’s no surprise that responding to DSARs can consume a significant amount of business resources in terms of both cost and human time. All this must be done within tight, regulatory deadlines, which puts teams under immense pressure. Mistakes (like missing data or disclosing too much) carry serious compliance risks, including regulatory action or fines.

• Increasing Complexity: Today’s DSARs are often broad and complex. As people become more aware of their rights, organizations are facing not just more requests but also more demanding ones. A DSAR might be as simple as “What info do you have about me in your database?” or as complex as “Give me all emails, documents, CCTV footage, and records that mention me.” In fact, DSARs can range from a few files to tens of thousands of documents, sometimes involving CCTV video and third-party data that must be carefully redacted. The rise of remote work and digital communications means personal data is spread across more systems than ever, making data collection a bigger challenge.

• Disputes and “Weaponization”: A major driver behind the DSAR explosion is that people are using these requests as a litigation tool. It’s common to see DSARs filed by disgruntled ex-employees or unhappy customers in the middle of a dispute. Often, the DSAR is a “fishing expedition” – looking for that smoking gun document or putting pressure on the organization to settle a claim. In the employment context especially, many DSARs are tied to grievances or tribunal cases. Law firm analyses note that DSARs frequently accompany legal complaints, either to gain leverage or out of frustration with an organization. This trend has contributed to the surge in volume, as a rising tide of disputes (and greater public awareness of data rights) leads to more people turning to DSARs as a tactic.

• Strict Compliance Requirements: The regulatory and legal scrutiny around DSAR handling is intensifying. Regulators like the ICO have shown they will enforce DSAR obligations – for example, in 2022 the ICO reprimanded seven organizations for failing to comply with DSAR response requirements (mostly for missing the statutory deadlines). Failing to properly handle a DSAR can lead not only to complaints but also enforcement notices, fines, or lawsuits. Under GDPR, fines for not honoring data subject rights can reach into the millions. In short, ignoring DSARs is not an option – by 2026, Gartner predicts global annual penalties for DSAR mismanagement will exceed $1 billion. The pressure to get this right has never been higher.

The Law Firm Perspective

Legal professionals are acutely aware of these challenges and the need for better solutions. “We’ve seen a huge rise in DSAR inquiries across our client base, and it’s only growing,” says David Varney, Partner at Ashfords LLP, who handles data protection and compliance matters for organizations from startups to large corporates.

“Organizations are struggling under the weight of these requests and they’re looking for more efficient answers. The demand for DSAR management tools – especially ones leveraging AI to speed up the process while maintaining accuracy – has never been higher. But as with any automated solution, we have to find the right blend of AI and human oversight – both in terms of process design but also because DSARs often encompass marginal calls that require expert decision-making.”

The Solution – Supervised AI

Given the volume, complexity, and risks involved, the ideal solution is a blend of intelligent automation and human oversight – a “supervised AI” approach. The goal is to let AI do the heavy lifting on repetitive tasks while human experts handle interpretation, judgment calls, and quality control. This hybrid model addresses the shortcomings of both manual and fully-automated methods. Effective DSAR handling still depends on expert judgment and understanding of the regulatory landscape”. In other words, AI by itself won’t replace human expertise, but it can radically lighten the load.

How Supervised AI Works

1. Unified Intake: The process begins with a DSAR intake process, which can be powered via a branded form or email, using a system like Lupl.
   ‎‎
2. Auto Triage & Scoping: AI automatically triages the request. It examines what’s being asked and helps determine the scope: Who is the requester? Is the request valid and made under the proper rights? What data sources are likely in scope (emails, HR records, databases, etc.)? The agent can flag if a request is overly broad or doesn’t meet certain criteria (for instance, if it’s manifestly unfounded or excessive under GDPR definitions).
   ‎‎
3. Deadline Calculation: Once the request is accepted, a platform like Lupl automatically calculates a response deadline based on the date of receipt. The tool then tracks this deadline, sending reminders to everyone involved and ensuring the clock doesn’t run out. This removes the guesswork from compliance timing and helps teams prioritize tasks to meet the due date.
   ‎
4. Automated Acknowledgement & Communication: Using a pre-defined playbook of responses, the system drafts all the necessary communications. This includes an acknowledgement email to the data subject (confirming receipt of the DSAR and the expected response date) and any template letters needed – for example, requests for identity verification or clarifications if the scope is unclear.
   ‎
5. Secure Data Collection: Next, the heavy lifting shifts to the discovery and processing team – usually powered by a vendor such as TCDI. TCDI’s DSAR team receives the scoped request and orchestrates data collection across all relevant systems. Using eDiscovery-like connectors and scripts, they pull in data from email servers, file shares, databases, cloud applications – wherever the individual’s personal data might reside. Because this step is automated, it can gather large volumes of data in a fraction of the time a manual search would take.
   ‎
6. AI-Assisted Review & Redaction: Once the raw data is collected, the platform filters and indexes it to isolate what’s likely relevant to the DSAR. The process then applies redactions to shield third-party identities or other exempt information (for example, legally privileged material) in one go. Expert humans handle any judgment calls (e.g. whether an exemption applies, or if a certain email is out of scope) and ensure the AI didn’t miss anything critical. This supervised review process dramatically speeds up what used to require dozens of hours of manual reading, while still safeguarding accuracy and compliance.
   ‎
7. Assemble Response & Delivery: With the review complete, the solution compiles the final DSAR response package. Again, human review is critical at this stage, so the baton is handed back to a data protection expert before the outputs is sent back to the Data Subject. Finally, the request is marked complete in the system.

Importantly human experts remain in the loop, supervising the AI-driven steps. This ensures that nuances – like interpreting the exact request scope or applying a legal exemption – are handled correctly. The result is a far more efficient process: what previously might take a team many weeks of effort can be turned around much faster, with less risk of error.

Crucially, supervised AI solutions address where other methods fall short. Traditional manual handling is slow and prone to human error, while pure automation without oversight can misjudge context or overlook legal subtleties.

Where to Learn More

The DSAR challenges won’t disappear, but with the right approach, 2026 can be the year your organization finally tames the DSAR storm. To learn more about implementing a supervised AI DSAR solution in your firm, you can reach out to the teams behind the examples above:

• Lupl – the task management and workflow automation platform for legal.
  • Matt Pollins – Co-Founder & Chief Product Officer
    
• Ashfords – a leader in data protection and compliance matters, combining expert lawyers with a pragmatic, solutions-orientated approach.
  • David Varney – Partner
    
• TCDI – a leader in legal tech, eDiscovery, and DSAR services. Visit TCDI’s website (www.tcdi.com) for information on their DSAR automation capabilities and to get in touch with their experts.
  • Andy Edler – VP, Legal Service