Individuals’ awareness of their data protection rights, fuelled in part by high‑profile litigation (which we have written about here and here), has contributed to a sustained rise in the number of data subject access requests (DSARs) that organisations are receiving. That increase appears to be driven in part by machine-generated requests, with generative AI producing detailed and expansive DSARs in seconds and lowering the barrier to drafting complex and far‑reaching demands.
That shift is reshaping not only the volume of DSARs but also their character, and with it the operational playbook of controllers. Understanding the anatomy of modern DSARs, the risks of overly broad scopes, and recent guidance from the UK Information Commissioner’s Office (ICO) can help organisations manage this surge in a way that is lawful, proportionate and defensible.
AI in Practice: DSAR Breadth and Complexity
Under the UK GDPR and the Data Protection Act 2018, individuals are entitled to confirmation of processing and access to their personal data, together with associated information about sources, retention and safeguards. DSARs have therefore always had the potential to be broad in scope, but AI-generated requests now routinely go beyond a simple “what do you hold about me?” and instead purport to seek every conceivable data type across every conceivable system: emails and attachments, messaging platforms, call notes, ticketing systems, HR files, CCTV and access logs. They also frequently demand disclosure of search parameters, the relevant systems and audit trails, alongside granular explanations of any redactions or exclusions.
That framing can have real consequences for workload and defensibility. Unless the organisation has a disciplined process in place, the risk is a sprawling, unfocused search that generates high review costs and delay. Add even a small number of others DSARs into the mix, and the results can quickly become difficult to manage.
Identifying AI‑generated DSARs
An organisation should not refuse to comply with an otherwise valid DSAR simply because of its tone, style or the requester’s suspected use of AI. That said, early recognition of the hallmarks of an AI-drafted request can help anticipate complexity, estimate effort and engage effectively with the requester.
Common indicators of AI-drafted DSARs include:
Unusually formal or US‑centric terminology that is at odds with the language that the individual would typically be expected to use.
Exhaustive boilerplates listing every statutory right and exemption by name.
Scattergun assertions spanning multiple jurisdictions or citing inapplicable regimes.
Inconsistent personal details, pronouns or formatting suggestive of pasted content.
Identical – or near‑identical – text across multiple requests received in a short window.
None of these features are conclusive on their own, but taken together they can provide a useful early signal that a request warrants closer attention at the triage stage.
What Organisations Can Do
Responding to all DSARs, whether or not AI-assisted, requires an understanding of what is being asked for, and the ability to translate that understanding into a documented, reasonable and proportionate search strategy.
Under the Data (Use and Access) Act 2025, controllers must conduct reasonable and proportionate searches, rather than exhaustive trawls of all personal data that the organisation might hold about the requester. The Act also enables controller to “stop the clock” on the statutory deadline in order to seek clarification where a request is unclear or overly broad.
Early Engagement on Scope
If a DSAR reads like a kitchen-sink request (“all data you have about me in every system on earth” being a representative example), there is value in engaging the requester at an early stage:
Ask the requester to clarify what they are really seeking, by reference to specific systems, date ranges or document types.
Explain that clearer parameters will enable you to focus searches and deliver accurate responses.
- Frame the process as a constructive dialogue, rather than a delay tactic, while being transparent with the requester that the statutory timeframe is being paused pending their response.
Done well, early clarification on scope helps organisations provide a proportionate, efficient and accurate response, while minimising the review of irrelevant materials and reducing the overall administrative burden in responding to the DSAR.
Document Decisions on Proportionality
Once an organisation has determined what constitutes a reasonably proportionate search, it should record the scope chosen, the systems included (and excluded), the factors considered and the rationale linking those factors to the relevant statutory provisions and regulatory guidance. This process will help demonstrate that the approach taken was considered, defensible and tailored to the request at hand.
Documenting decisions is particularly important in the current environment because regulators themselves are feeling the impact of AI‑assisted drafting – most visibly in the rising complaint volumes about, among other things, DSAR handling. The ICO’s latest reporting confirmed that complaints related to Article 15 UK GDPR remain the single largest category of data protection complaints, with numbers climbing year‑on‑year.
Similarly, Berlin’s Data Protection and Freedom of Information Commissioner recently reported that it had received nearly 50% more data protection complaints in 2025 compared to 2024. The Commissioner identified AI as the primary driver behind this surge, noting that the legal assessments on which AI-generated claims rely are often incomplete or simply wrong.
The phenomenon of AI-assisted complaint drafting is part of a wider, sector-agnostic trend, with schools and planning authorities in the UK reporting that they are being inundated with AI-generated complaint letters and objections. Ultimately, these trends reflect the ease with which follow‑on complaints can now be generated, meaning that poorly scoped responses or weak documentation can potentially turn a routine DSAR into regulatory escalation.
Turning the Tables: Managing Modern DSARs
At the same time as AI is contributing to the rise in DSARs and associated complaints, it can also be part of an organisation’s compliance toolkit, provided it is deployed thoughtfully and with proper oversight. Organisations are increasingly turning to AI‑driven solutions to streamline and scale parts of their DSAR process. Among other things, AI platforms can automate data discovery and classification, searching across structured and unstructured sources to identify relevant personal data quickly and accurately, thereby reducing manual effort and human error.
By pairing these technologies with human review, which remains important for all DSARs, but particularly those with complex or challenging fact patterns, legal and compliance teams can turn the challenge of rising DSAR volumes into an opportunity to increase efficiency, improve accuracy and strengthen compliance across their organisation.
Subscribe to Ropes & Gray Viewpoints by topic here.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.