From the numerous conversations I have had over the past two years, it’s clear that data subject access requests (DSARs) are a significant operational challenge for organizations of all sizes. In fact, such is the level of disruption they cause that “operational challenge” is not the term many people use when describing handling these requests. A far more emotive response is often what they provoke!
To make matters worse for the already busy teams that handle them, the volume of requests continues to grow. That is then further compounded by the fact that the variety of data that now needs to be included is also expanding rapidly. Add to that the fact that no one request is the same and that they arrive in inconsistent volumes, and what you have is a considerable problem.
What all of this means is that the cost of managing these requests is growing and if some of the figures I have recently been quoted are anything to go by, the cost is significant!
However, there is a solution to all these problems, and that solution is the use of well-provisioned and governed AI.
Of course, saying that in 2026 may be a little trite given the proliferation of AI tools available to support legal and compliance. However, the truth is that managing a DSAR using AI is the perfect use case, and here’s why.
Why Leveraging AI Just Makes Sense
A DSAR, whilst burdensome, is rarely contentious and doesn’t require additional permission. Therefore, responding to the needs of the request is unlikely to come under a high level of scrutiny. That’s said not to suggest complacency, but rather to provide context and contrast requests with more complex litigation management.
The challenge is that each stage traditionally relies on a significant human involvement, and this is where the time, cost, and frankly, the inefficiency come from.
Given the variety in size, a single request may involve thousands or even hundreds of thousands of emails, documents, chat messages and attachments. Even with experienced reviewers, identifying relevant information and applying consistent decisions across these large datasets is time consuming and prone to human inconsistency.
This is where AI can fundamentally reshape and vastly improve the process.
AI for the Document Review
One of the most immediate opportunities for added efficiency is during document review. Rather than requiring costly reviewers to manually assess documents from first principles, AI can rapidly analyse content, identify personal data relating to the data subject and prioritise documents based on likely relevance.
It can provide a thorough and contextual analysis of all the responsive documents and return a reduced population. Documents can be grouped by topic, clustered by similarity and ranked according to their relevance. Additionally, (and probably most importantly), the AI can provide its reasoning to support defensibility.
And of course, avoiding sensational figures, all of this can be done in a fraction of the time and at a level of accuracy much greater than a human reviewer.
AI-Enhanced Redactions
The next logjam in DSARs is redaction, which has traditionally been one of the most labour-intensive stages of any review.
Simply put, modern redaction tools can automatically detect:
- Names
- Email addresses
- Telephone numbers
- National Insurance numbers
- Financial information
- Other personally identifiable information (PII)
More sophisticated models can also identify contextual references to individuals rather than relying solely on exact matches. This dramatically reduces the time reviewers spend searching for sensitive information while improving consistency across large productions. While human reviewers should still remain responsible for validating the final output, AI can significantly reduce the repetitive effort involved.
The Importance of Defensibility and Compliance
Speed is valuable, accuracy is essential, but defensibility is what ultimately protects organizations.
If an individual challenges a response, or the ICO investigates a complaint, organizations must demonstrate that they followed a reasonable and well-governed review process. It’s important to note that the ICO has consistently emphasised that organizations should adopt proportionate and reasonable measures when responding to DSARs.
It recognises that organizations may use technology to assist with compliance, provided appropriate oversight and governance are maintained, and this is where AI-assisted workflows offer an often-overlooked advantage.
Modern review platforms increasingly provide detailed audit trails showing:
- How documents were identified
- Why documents were classified as relevant
- Which redactions were applied
- Who reviewed each decision
- When decisions were made
- What changes occurred throughout the review lifecycle
We are way beyond the perception that AI is a “black box.” Properly implemented AI can improve transparency by documenting review decisions more consistently than purely manual processes.
Decisions Stay with People
With all of the benefits that AI brings to this laborious process, it’s still important that the right level of legal oversight remains in place. Whilst there is an argument to say it’s possible, AI should not be making decisions in isolation.
Legal exemptions such as privilege, confidential references or management forecasting require legal judgement that only humans who understand the nuance of the law can provide. AI can surface potentially relevant material, but qualified reviewers remain responsible for applying the law.
This human-in-the-loop approach creates a review process that is both efficient and defensible.
The Role of Specialist eDiscovery Providers
While much of the discussion has focused on the benefits of using AI, one can’t forget that successfully deploying this technology within DSAR workflows requires more than simply purchasing software. Effective DSAR management depends on combining technology with proven review methodologies, experienced privacy professionals and robust quality assurance. Specialist eDiscovery providers like TCDI are uniquely positioned to deliver this combination.
Having established workflows for large-scale document collection, review and production, providers can integrate AI into existing processes while maintaining the governance and legal oversight required for regulatory compliance.
For clients, this means access to both advanced solutions and experienced legal technology professionals without needing to build these capabilities internally.
Looking Ahead
As DSAR volumes continue to rise and data sources become increasingly diverse, manual review alone is fast becoming unsustainable, especially when it’s weighed against the cost of compliance.
AI offers a highly effective and achievable way to reduce review time, improve consistency and streamline redaction while simultaneously strengthening the defensibility of the entire process.
For organizations responding to higher volumes of increasingly complex requests, success will be judged by demonstrating that every disclosure decision has been made consistently and transparently, which can be achieved so much more effectively using AI. For already busy teams, this is a blessing and allows them to focus on value-added tasks.
While DSARs are an unavoidable “operational challenge,” they don’t have to be a headache. AI can remove much of that burden, but only when it’s properly governed and supported by professionals who understand the process. Get that combination right, and DSARs will begin to feel a lot more manageable.
Andy Edler
Author
Share article:
Andy is VP of Legal Services for TCDI in the UK. He is responsible for the management and development of existing client relationships and the growth of TCDI’s footprint in the legal and corporate market throughout Europe. With over 20 years of experience, Andy has helped major organisations transform operations, minimise cost, improve efficiency, and enhance customer experience with market leading technology and services.