Data subject access requests (DSARs) have a way of arriving at the worst possible moment, and they rarely arrive alone. Organizations often receive multiple DSARs around the same time, like when one employee files a request and others follow suit, or when a news event prompts customers to submit requests all at once. Regardless of the reason, each of these requests can require pulling personal data out of email, HR systems, CRM records, file shares, and chat tools, all on a statutory time clock.
While volume is a major problem, what actually breaks the process is the variability underneath that volume. Those unknowns, along with the hidden manual work that teams often overlook, are areas where this process can spin wildly out of control.
Today, GenAI often gets pitched as the obvious solution, and to be fair, it has the potential to reduce a lot of the manual effort involved. Even so, legal teams have good reasons to be cautious about relying on AI in a regulated process, because a DSAR isn’t a workflow where mistakes are easy to recover from. If sensitive third-party data is missed during redaction, or a coding decision can’t be explained six months later when the ICO asks, any efficiency gained at the start is quickly outweighed by the resulting compliance risk.
So, the question worth answering now is how to integrate AI in a way that improves the process while also preserving the transparency, control, and auditability required for regulatory compliance.
Start Where AI Adds Value, Safely
The easiest way to think about how to use GenAI safely is to introduce it where mistakes are easiest to detect, then expand its role only as the surrounding controls become stronger. In the context of a DSAR, intake and triage are the initial steps that happen before anyone starts reviewing or disclosing information. This can be the safest point to introduce GenAI since it’s where errors are still easy to identify and correct.
A GenAI model can read an incoming request and summarize it into the things you actually need to act on, like names, identifiers, date ranges, and the systems likely to hold relevant data. It can draft the clarification questions when a request is vague, and it can flag whether you’re looking at an employee DSAR or a customer one to ensure you’re working out of the right playbook.
None of that is the model deciding anything, which is a compliance team’s biggest fear. All the GenAI model is doing is reading the request and writing a first-draft response. A human is still the one who approves the search terms or concepts for collection or proofreads the clarification email before it goes out.
Because the output is always reviewed by someone with authority before it has any effect, an error at this stage is easy to catch in the normal course of business. This is a pattern worth establishing early, because you’ll want to repeat it as the GenAI model moves into the more complex stages of a DSAR.
Use the Model to Shrink the Pile, Not to Make the Call
Once the request has been understood, the next objective is reducing the volume of documents requiring human review. The most expensive part of a DSAR is this stage, largely because every document a reviewer has to open costs time and money. The biggest gains come from reducing the review population before anyone starts reading.
And much of that has little to do with GenAI. Deduplication, near-duplicate detection, email threading, date and domain filtering, and the early exclusion of obviously non-responsive categories all reduce the volume of documents requiring human review. In one TCDI matter, eight custodians produced more than 13,400 emails and attachments. With deduplication and AI-driven exclusion, over 10,000 of those were removed, leaving just over 3,000 for human review.
Applying AI at this stage is low risk because the reduction process is transparent and defensible. Every exclusion is based on a defined rule or workflow that can be explained if the process is later challenged.
GenAI can extend this by suggesting a likely issue tag based on a document’s content, or by writing a short summary that helps a reviewer decide faster. Again, the AI system suggests, and the reviewer confirms. The GenAI model provides recommendations to a reviewer, but the reviewer remains accountable for every coding decision.
Where Autonomous Review Fits
Reducing the review population is one thing. Allowing AI to make review decisions is another. The obvious next question is whether GenAI should move beyond assisting reviewers and start making coding decisions on its own.
The technology is capable of doing that, and in the right circumstances allowing it to do so has the potential to reduce review time dramatically. It’s also the point where the risk increases, which means rigorous controls need to be put in place.
The answer is to not give GenAI free rein. Autonomous review needs to operate within clearly defined boundaries. The review criteria, document population, and confidence thresholds should all be established by a human before any analysis begins, and the results should be subjected to a lot of quality control.
Equally important is creating as much transparency as possible. Every coding decision should be accompanied by the reasoning that led to it, creating a clear history of how the outcome was reached.
This provides an audit trail that supports the process if decisions are later questioned by a regulator, court, or data subject. When GenAI can provide full reasoning for each decision, the result is a defensible data control set and an audit trail that runs from the first document to the last.
Redaction is Where Fast Can Become Dangerous
Even after review is complete, one of the highest-risk stages still remains: redactions. And if there’s one stage where speed can betray you, it’s this one. A redaction error is an eDiscovery error, and those are the ones that end up in front of a regulator.
Automated tooling can apply redactions quickly and consistently. Consistency genuinely matters here, since redactions with standardized reasoning codes are easier to defend than varied manual decisions across similar documents.
But automation alone isn’t enough when the material is sensitive. The real control is a mandatory quality control review. High-risk material, including special category data, third party personal data, and legally privileged or otherwise sensitive information, should undergo a second level of quality control before production. Nothing should be released without final human approval.
Supporting that process is a complete audit trail showing what changed, who made the change, when it was made, and why. If a discovery decision is challenged, the document history is there to explain exactly how, and, or why the decisions was reached.
The Governance and Human-in-the-Loop Layer is the Actual Product
The common thread throughout this process is governance. These new technologies are only one part of the equation, and what makes their use defensible is the governance we put around them. That includes defined workflows, human oversight, quality control, and a clear audit trail. Without these controls, faster processing comes at the expense of accountability.
And this really matters when it comes to DSARs. The client owns policy, final sign-off, and escalation. The managed service provider runs case management, automation, review operations, and QC. The work can speed up as much as the technology allows, as long as every person involved stays accountable.
Caragh Landry
Author
Share article:
With nearly 30 years of experience in the legal services field, Caragh Landry serves as the Chief Legal Process Officer at TCDI. She is an expert in workflow design and continuous improvement programs, focusing on integrating technology and engineering processes for legal operations.
Caragh is a thought leader who frequently presents on Technology Assisted Review (TAR), GenAI, data privacy, and innovative lean process workflows. In her role at TCDI, Caragh oversees workflow creation, service delivery, and development strategy for the managed document review team and other service offerings.