The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.
Contact us

The Use of AI within DSAR Submissions: Navigating the Rise and Impact

AI SARs

In recent years, the privacy community has witnessed a marked increase in Data Subject Access Requests (DSARs). This trend has coincided with the mainstream adoption of large language models (LLMs) such as generative AI tools, which are now widely accessible to individuals seeking to exercise their data rights under the UK GDPR. While growing awareness of Data Subject Rights is a positive development, it also brings new complexities and responsibilities for organisations handling DSARs day to day.

DSAR Volumes and Trends

Multiple sources confirm the sustained rise in DSARs across the UK and Europe:

  • The ICO’s official 2023–2024 annual report stated that Article 15 complaints (“right of access”) accounted for 38.74% of all data protection complaints it received; this makes DSAR-related issues the single largest category in ICO workload. Source: legalbriefs.deloitte

  • DSAR complaints have seen sector-specific spikes, with the ICO reporting a 15% increase in financial services DSAR complaints during 2024. Source: legalbriefs.deloitte

  • Industry statistics reveal that 60% of organisations report an increase in DSARs year-over-year; legal and privacy professionals link this rise directly to greater regulatory awareness and operational ease: particularly following high-profile media coverage and breach notifications. Source: transperfectlegal

  • 36% of internet users worldwide exercised their right of DSARs in 2024, up from 24% in 2022 (Statista via Termly). Source: termly

  • The average number of GDPR DSARs per website has risen from 5.7 in 2021 to 7.3 in 2024, with total average requests (GDPR + CCPA) surging from 19.4 to 61 per website in the same period. Source: termly

  • More than 66% of DSARs are made by employees, frequently in contexts of employment disputes or internal reviews, a critical consideration for HR and compliance teams.: Source: termly

Organisations are also reporting that DSARs are increasingly sophisticated in content, and often drafted with the assistance of AI-powered platforms, allowing for greater detail, legal referencing, and structured format.

The Changing Landscape: DSAR Volumes and AI Involvement

Right of Access, governed by Article 15 of the GDPR, empowers individuals to request and obtain confirmation as to whether their personal data is being processed, access that data, and understand the purposes for processing, categories of data, recipients, data sources, and their rights regarding rectification, erasure, restriction, and objection to processing, among other details.

Traditionally, DSAR volumes have aligned with service complaints, dismissals, public interest, media coverage of data breaches, and the visibility of enforcement actions by regulators. However, the last two years have seen a sustained rise in requests, much of which is attributable to the ease of drafting “high-quality” detailed DSARs using LLM-powered AI platforms. This has made it simpler for people, sometimes without technical backgrounds, to submit robust requests, and [appear] knowledgable, but it has also opened doors to less scrupulous uses, such as weaponised or excessive DSARs in the context of complaints and/or disputes.

Identifying AI-Generated DSARs

It has become increasingly common for privacy teams to encounter DSARs that display characteristics aligned with AI generation:

  • Unusual or consistent use of em dashes and specific punctuation.

  • Subtle Americanisms (e.g. “organization” instead of “organisation”)

  • Highly structured and formal language, often appearing highlight dissimilar to previous correspondence by the same individual.

  • Complex identifiers and detailed references to GDPR articles

  • Articulations that reference rights, exemptions, or guidance not typically used by lay requesters

When assessing DSARs, it can be helpful to compare the style and tone against previous communications from the data subject, if available. A marked change in writing style, increased use of legal terminology, or the sudden inclusion of multi-point requests may suggest that AI has assisted in the drafting process.

Why Does This Matter?

Understanding whether a DSAR is AI-generated is not about dismissing or prejudicing the request; rather, it helps inform the organisation’s response, expectations, and risk management. AI-written DSARs often come well-prepared, referencing legal nuances, exemptions, and seeking comprehensive data sets.
For organisations, this means the volume, complexity, and time required to process DSARs may increase, especially where requests cite specific technical wording or seek information on automated decision-making and profiling, areas directly engaged by both the GDPR and, more recently, the Data Use and Access Act 2025 (DUAA).

The Right to Access: GDPR Article 15

The right of access under Article 15 GDPR states:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information…”
– GDPR Article 15

This includes:

  • Purposes of processing

  • Categories of personal data

  • Recipients or categories of recipients to whom the data has been or will be disclosed

  • Data retention period

  • Information on rights to rectification, erasure, restriction, and objection

  • Information on data sources (if not collected from the individual directly)

  • Details of any automated decision-making processes.

The organisation must provide this information unless a legitimate exemption applies, and generally within one calendar month of receipt. For complex or multiple requests, this can be extended by a further two months, with notification requirements for delay.

Managing Weaponised and Excessive DSARs

The use of AI has made it easier for individuals, particularly those with an ongoing complaint or dispute, to submit extensive and arguably technical DSARs. While many requests are genuine and reflect increased transparency, organisations should prepare for weaponised requests aimed at disruption, or those submitted en masse for strategic reasons.

GDPR and ICO guidance allow controllers to refuse to comply with DSARs where they are manifestly unfounded or excessive. Manifestly unfounded requests might be motivated by malice or disruption, or where the claimant has no genuine intention to exercise their rights, but are often difficult to prove.
Manifestly excessive requests typically exceed what is reasonable, either in scope or burden. Large-volume requests are not automatically excessive, but the organisation must assess proportionality, context, and their own resources.

It’s important to:

  • Evaluate the request’s motivation (is there harassment or disruption intent, or is the data subject genuinely seeking information?)

  • Challenge unclear, duplicative, or unreasonable requests politely and professionally

  • Ask for clarification from the data subject where requests are broad or non-specific

  • Document all decisions, including reasons for refusing requests, and communicate with the requester about avenues for complaint if relevant

The DUAA and Proportionality

The Data Use and Access Act (DUAA) 2025 strengthens the controller’s position by codifying the requirement for reasonable and proportionate searches in response to DSARs. This means organisations are no longer obligated to conduct unlimited or impracticable searches in response to broad or vague requests; instead, controllers can tailor their processes to balance the burden against the rights of the data subject.

Key takeaways:

  • Respond within one calendar month, with extensions for complexity (DUAA)

  • Notify data subjects of any delays or need for additional information

  • Maintain clear processes and protocols for search, review, and response

  • Focus on proportionality: what is reasonable for both the organisation and the individual

Practical Guidance: Responding to AI-Driven DSARs

1. Critically examine the request

Review what has been asked for, how it has been articulated, and whether the request aligns with legitimate data rights.

2. Open dialogue

If unclear, enter into discussion with the requester to seek clarification. This can head off excessive or irrelevant searches.

3. Policy and process

Stick to documented procedures for DSAR handling. Regularly review these in light of regulatory changes and organisational capacity.

4. Document the decision-making process

Log all correspondence, clarifications, and internal notes for audit and mitigation purposes.

5. Challenge where appropriate

Do not simply accept every request at face value. Evaluate whether it is genuinely actionable within the GDPR’s framework.

6. Be mindful of the cost and time dynamics

Some individuals now use AI instead of solicitors, seeking both cost savings and capacity to submit requests. While this is not in itself a problem, it is important to keep an eye out for strategic claimants and review communications for pattern changes.

Struggling with SARs?

Get in touch learn more about our SAR Support & Data Protection Services and how we support UK organisations, across various sectors, with SARs.

Alternatively, if you would like to learn more about DSARs in 2026, view our dedicated blog here.

The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.

Governance Risk & Compliance Hub LIMITED

Facebook Youtube Linkedin