A simple request for information can quickly turn into a test of whether your business has its data act together.
By Douglas McLachlan, Partner and Head of Data & Technology, Anderson Strathern
Generative AI has made it easier than ever to create a data subject access request (DSAR) – and harder than ever for businesses, especially SMEs, to handle.
What used to be a simple email asking for a few files can now arrive as a wide-ranging request that’s quick to send, difficult to narrow and a logistical nightmare to answer. What was once a niche compliance issue is fast becoming a regular business headache.
When AI meets UK GDPR
A DSAR allows someone the right to ask what personal data you hold about them – it’s part of UK GDPR and explained in the ICO’s guidance.
But thanks to AI, people can pull together a details request in seconds, filled with legal phrasing and clever add-ons like metadata or all previous versions of any document. Suddenly, the request isn’t a simple ask, but a scavenger hunt across HR files, inboxes, archived material and chat logs. It creates a significant amount of material to review.
Why SMEs are feeling it
DSARs often pop up in employment disputes or workplace grievances; they can be a cheap way to get information before formal disclosure starts – and AI makes them far broader and more time-consuming.
That creates a practical problem for businesses. Many SMEs find the one-month legal deadline to respond doesn’t stretch far. Without in-house privacy experts, they’re left scrambling and often calling in expensive help from lawyers or consultants.
The hidden risk
Responding to a broad-range DSAR can take a lot of time, but that’s not the real concern. More importantly, they can expose weaknesses in how you’re handling data. Maybe you’re keeping records for too long, haven’t followed retention rules or your privacy notices don’t reflect reality.
Even worse, a request might surface problems around sensitive data. Things like health details, religious beliefs or trade union membership all require extra protection and safeguards. If you’re not providing that, it’s not just a reputational issue – it could lead to regulatory scrutiny and fines.
What SMEs should do now
Treat DSARs as a business stress test, not just a legal requirement. The smartest move is to get organised before one lands in your inbox.
- Know what personal data you hold, where it lives, who can access it and how long it’s kept.
- Build a clear internal process for responding.
- Run a structured data audit to spot problems before a DSAR does.
As AI-generated DSARs become more common – and more demanding – the businesses that handle them best will be those that already have their data in order. Receiving them is a test you don’t want to fail.
Douglas McLachlan is the Partner and Head of Data & Technology at Anderson Strathern, where he advises clients across all properties of Intellectual Property and IT law, including protection, freedom of information, cyber law and digital governance issues.