Data Subject Access Requests (DSARs) are piling up across organisations. Businesses in almost all industry feel the pressure to respond within tight deadlines, often one month, as required under the General Data Protection Regulation (GDPR). The rise of digital channels means personal data has personal data across servers, cloud platforms, emails, and beyond. Meanwhile, individuals have become increasingly privacy conscious, exercising their right to know what information organisations hold about them and expecting timely, and accurate responses. 

This is where artificial intelligence (AI) enters the conversation. Many organisations are looking to AI to streamline the DSAR process, automating cumbersome tasks like data collection, redaction, and compliance checks. AI can certainly lighten the load, but does it truly solve the problem? Or does it introduce new risks, particularly when it comes to sensitive personal data and the strict demands of the GDPR?  

The Growing Burden of DSARs 

In recent years, the volume of DSARs has surged. This increase may be driven by greater public awareness of data protection laws, heightened media attention of data breaches, or the growing influence of “right to be forgotten” campaigns. Whatever the cause, many organisations lack the necessary resources, whether in terms of personnel or technology, to manage the workload effectively. 

Manually responding to a DSAR typically involves hunting for data across multiple systems, verifying which records are relevant to the requester, and redacting sensitive third-party information. It’s a resource-intensive process that can easily overwhelm internal privacy teams, particularly when faced hundreds of requests in a short time span. When deadlines loom, mistakes happen. Overlooking a single document could result in non-compliance, while exposing a colleague’s data to the requester is a data breach on its own. 

But the Risks Run Deep: GDPR Complexities and AI Limitations 

Yet beneath this efficiency lies a complex web of risks, particularly under GDPR. AI systems rely on training data and algorithms, which makes them vulnerable to errors. They may misclassify personal data or fail to detect sensitive categories, such as health records, biometric identifiers, or children's data. Since DSARs can involve highly sensitive information, any mistake in classification or redaction can result in serious breaches. 

For instance, if an AI tool overlooks health-related documents or fails to redact children’s personal data, the consequences could be severe. Beyond exposing vulnerable individuals to harm, such oversights expose organisations to significant regulatory penalties and reputational damage. The stakes are high, and even small errors can escalate quickly under the scrutiny of data protection authorities. 

Complex DSARs often require nuanced legal interpretation, something AI is ill-equipped to handle. Requests involving personal data may intersect with complex legal concepts such as legal privilege, proportionality, or third-party rights. Over-reliance on automation risks sidelining essential human oversight — a dangerous shortcut when accuracy and legal compliance are paramount.

The challenge of explainability adds another layer of complexity. Regulators expect organisations to provide meaningful explanations of how automated tools process personal data. If an individual challenges how their information was identified, redacted, or categorised, the opaque, "black box" nature of many AI systems can leave organisations struggling to justify their decisions. 

Finally, data quality remains a critical concern. AI tools are only as effective as the data they are trained on. Disorganised or incomplete data sets increase the risk of missing relevant documents altogether, resulting in incomplete DSAR responses and potential non-compliance. Poor data hygiene undermines both AI performance and regulatory obligations. 

Complex DSARs Require Human Judgement 

While automation handles routine requests well, not every DSAR is straightforward. Some requests might seek access to data used in AI training sets, raising thorny questions about whether personal data can be extracted from the model itself. Under GDPR, individuals have the right to know how their data is processed, and to request its rectification or erasure. 

There is ongoing debate about whether data embedded in AI models falls within the scope of DSARs. Some argue that properly trained models generalise beyond individual data points, making retrieval impossible. Others point out that large language models and similar technologies have been shown to memorise fragments of training data, which could keep personal data within scope. 

From a legal and technical perspective, it’s not always clear how to extract or delete an individual’s data from a trained AI model’s parameter. Ignoring such requests altogether could be seen as non-compliance by regulators, especially in the European Union. 

AI: A Useful Ally, not a Silver Bullet 

AI can play a valuable role in supporting DSAR processes, but it is not a complete solution. Its ability to process large volumes of data quickly and consistently offers operational support, particularly for routine and repetitive tasks. When properly implemented, automation can assist with tracking requests and improving auditability. Yet, these efficiencies do not eliminate the inherent complexities of data protection compliance. 

DSARs may involve sensitive and nuanced issues — such as children's data or special category data — where legal interpretation and careful consideration remain critical. AI tools, no matter how advanced, face limitations in understanding context, assessing proportionality, or navigating complex regulatory requirements. 

The promise of AI in managing DSARs is clear, but so too are the risks. Poorly implemented AI can introduce new problems, from incomplete responses to the mishandling of sensitive information. As data volumes increase and regulatory scrutiny intensifies, organisations may continue to face the difficult task of balancing efficiency with accountability. AI may serve as a helpful ally, but it cannot replace the role of human judgement in ensuring responsible data stewardship and legal compliance. 

For now, the debate continues: Can automation truly fix DSAR overload? The answer remains unclear — efficiency gains are undeniable, but so are the risks that continue to shadow automated solutions.