← View All Articles

  • August 15, 2025

Data Access Demands: Unpacking the Surge in DSAR Filings and Key Request Categories

Beyond the Numbers: The “Why” Behind the Rise in Data Subject Access Requests

Data Subject Access Requests (DSARs), which grant individuals the right to ask organizations for copies of their personal data, have seen a significant surge in recent years. This increase isn’t merely a statistical anomaly; it reflects a confluence of factors, from heightened public awareness to evolving regulatory landscapes and even new technological influences. Understanding the “why” behind this rise, and which categories of data are most frequently requested, is crucial for organizations striving for robust data protection compliance.

The Contextual Drivers Behind the Increase

Several key factors contribute to the growing volume and complexity of DSARs and subsequent complaints:

  1. Increased Data Protection Awareness and Activism:
    • GDPR’s Legacy: The introduction of the General Data Protection Regulation (GDPR) in 2018 fundamentally transformed data privacy. It not only granted individuals stronger rights but also significantly raised public awareness about these rights through extensive media coverage and educational campaigns. This global impact has resonated beyond the EU, influencing data protection laws worldwide.
    • Data Breach Notifications: The increasing frequency and mandatory notification requirements of data breaches mean more individuals are directly informed when their personal data has been compromised. This often prompts them to exercise their DSAR rights to understand what data was involved and how it was handled.
    • Privacy Activism: Data protection advocacy groups and legal firms actively encourage individuals to exercise their rights, sometimes providing templates or guidance for submitting DSARs, further normalizing these requests.
  2. Economic Climate and Employment Disputes:
    • Redundancies and Workforce Changes: In periods of economic uncertainty or during organizational restructurings, such as widespread redundancies, DSARs from current and former employees tend to spike. Employees often use DSARs in the context of grievances, disputes, or to gather information pertinent to potential legal action. This is a particularly common trend observed across Europe.
    • Disgruntled Individuals: Customers or employees who are dissatisfied with a service, product, or workplace situation may utilize a DSAR as a means to exert pressure, gather information, or simply express their dissatisfaction.
  3. Proliferation of Data and Digitalization:
    • Complex Data Ecosystems: Organizations today process vast amounts of personal data across numerous systems, from CRM databases and email servers to cloud storage, HR systems, and social media platforms used for business. Locating, retrieving, and reviewing “all personal data” for a DSAR can be an immense, often manual, undertaking.
    • Unstructured Data: A significant challenge lies in unstructured data (e.g., emails, chat logs, internal documents), which is often voluminous and difficult to search effectively, leading to increased complexity and potential for omissions.
  4. Technological Facilitation of Requests:
    • AI-Assisted DSARs: Individuals are increasingly using Artificial Intelligence (AI) tools to draft their DSARs. While this can result in comprehensive and well-written requests, these AI-generated requests may sometimes misinterpret legal nuances or be overly broad, adding to the burden on organizations to respond accurately and within legal parameters.
    • User-Friendly Platforms: The development of privacy management software and portals has made it easier for individuals to submit and track their requests.
  5. Regulatory Scrutiny and Enforcement:
    • Increased Enforcement Actions: Data protection authorities across the EU and UK continue to actively investigate and penalize organizations that fail to respond to DSARs adequately or within statutory deadlines. This enforcement focus serves as both a deterrent for non-compliance and a catalyst for individuals to lodge complaints if their requests are mishandled.
    • Cost of Non-Compliance: The significant fines (up to 4% of global annual turnover or specific monetary caps under GDPR) for DSAR mishandling provide a strong incentive for individuals to escalate issues to supervisory authorities if they believe their rights have been violated.

Categories Most Frequently Requested in DSAR Complaints

While specific data points vary depending on the context of the organization (e.g., healthcare, finance, employment), DSARs generally seek access to “all personal data” held by an organization. However, complaints often arise from failures related to:

  1. Completeness of Data Provided:
    • Missing Information: Individuals frequently complain that organizations have not provided all the personal data they hold, often suspecting that certain documents or data points (e.g., specific emails, internal notes, performance reviews) have been deliberately omitted.
    • Data across Silos: Due to fragmented data storage across different departments (HR, IT, marketing, legal) and third-party processors, organizations often struggle to consolidate all relevant data, leading to incomplete responses.
  2. Timeliness of Response:
    • Missed Deadlines: Under GDPR, organizations typically have one month to respond to a DSAR, extendable by two months for complex or numerous requests, provided the data subject is informed. A significant number of complaints stem from organizations failing to meet these deadlines without proper communication or justification.
  3. Clarity and Intelligibility of Data:
    • Unintelligible Formats: DSAR responses provided in complex, technical, or unstructured formats that are difficult for the average individual to understand can lead to complaints. The GDPR requires data to be provided in a concise, transparent, intelligible, and easily accessible form.
    • Excessive Redactions: While organizations have legitimate reasons to redact third-party personal data, confidential business information, or privileged communications, excessive or poorly justified redactions can prompt complaints. Individuals may feel that the organization is intentionally hiding information.
  4. Identity Verification Issues:
    • Overly Burdensome Verification: Organizations asking for excessive or disproportionate proof of identity can frustrate data subjects and lead to complaints, especially if the requested data is not highly sensitive.
    • Inadequate Verification: Conversely, failing to adequately verify the identity of the requester can lead to data breaches if personal data is released to the wrong individual.
  5. Refusal to Act on the Request:
    • Unjustified Refusals: Organizations can refuse manifestly unfounded or excessive requests, but they must be able to demonstrate this. Complaints arise when individuals believe their request was legitimately made but was refused without sufficient justification.
  6. Specific Data Types Frequently Requested: While a DSAR typically seeks all personal data, certain categories are frequently central to complaints, often because they are challenging for organizations to manage or are highly sensitive:
    • Employment-Related Data: Performance reviews, disciplinary records, internal communications (emails, chat messages) related to employment, salary information, and HR files.
    • Customer Interaction Data: Call recordings, customer service notes, email correspondence, purchase history, and website/app usage data.
    • Financial Data: Banking information, payment history, and credit scores.
    • Sensitive Personal Data: Health records (where applicable), biometric data, or data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
    • Inferred/Profiling Data: Information derived from analysis of an individual’s behavior or characteristics (e.g., marketing profiles, risk assessments).

Conclusion

The rising number of DSAR complaints underscores a fundamental shift in the relationship between individuals and the organizations that process their data. Heightened public awareness, combined with a robust regulatory framework and the complexities of modern data environments, means organizations must invest in streamlined processes, adequate resources, and comprehensive staff training to effectively manage DSARs. Proactive measures, clear communication, and a transparent approach to data handling are no longer just good practice; they are essential to mitigate legal risks, avoid substantial fines, and maintain public trust in an increasingly data-conscious world.

  • We can help you become FADP compliant!

Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance

Get in contact

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Insights

  • Related Articles
The DPO’s Central Role in DSAR Handling: A Guide to Data Access Compliance
A strong DPO is a strategic asset, safeguarding your organization from fines and building trust
The Indispensable Role of an EU Representative: Why Non-EU Companies Need This Service for GDPR Compliance
Is your non-EU company engaging with the European market? Understanding GDPR is crucial, and for
Understanding Your Data Rights: What is a DSAR, Why It Matters, and How to File a Data Subject Access Request (DSAR)
The DSAR is a powerful tool under GDPR that allows you to gain transparency and