Data subject access requests (DSARs) are formal demands by individuals to see what personal information an organization holds about them. Under UK GDPR, businesses must respond within a month. For small and medium-sized enterprises (SMEs), these requests were once rare. That is changing. Generative AI tools now let customers and employees draft detailed DSARs in seconds—requests that are broad, hard to narrow, and increasingly complex.
Historically, DSARs were limited in scope. A simple email asking for a few files was manageable. Today, AI-generated requests often include phrases like “all emails, notes, messages, and metadata relating to me.” These sweeping demands force SMEs to search through HR records, inboxes, chats, and archives. What used to be a narrow inquiry now becomes a sprawling data hunt.
Employment disputes are also seeing a rise in DSARs. Employees facing grievances or tribunal claims may submit a request alongside formal proceedings. AI-generated language can stretch the scope further, asking for archived material or third-party information that needs careful redaction. For businesses, this means sifting through vast amounts of data, often with limited resources.
Related: US Cement Demand Booms as Infrastructure Investments Surge
The law requires “reasonable searches” for all DSARs. Large firms with in-house compliance teams can manage this. SMEs, however, often lack the expertise. A request asking for “all communications over the past 18 months” could require reviewing years of emails, shared drives, and messaging platforms. HR, IT, and legal teams must decide what’s in scope, what can be redacted, and what might be exempt.
Many SMEs do not have in-house privacy experts. They end up hiring external help, adding costs while racing against the one-month deadline. Beyond compliance, DSARs expose gaps in data practices. They force organizations to ask what personal data they hold, why it’s kept, how long it’s stored, and whether policies align with reality.
Where data is stored internationally, DSARs may raise issues about cross-border transfers—something regulators watch closely. They can also reveal weak retention practices, like email archives that stretch years beyond legal limits. This is especially risky if sensitive data, such as health records or trade union memberships, is involved. UK GDPR protects these categories heavily.
Information about criminal convictions requires extra care. If a DSAR shows such data was collected or shared without proper legal grounds, the organization could face regulatory scrutiny, reputational damage, or legal action. These risks are growing as AI makes it easier for individuals to assert their rights.
Related: Navigating the Tides: Staying Ahead of Market Trends
DSARs are no longer a niche issue. They are becoming a regular part of the risk landscape for SMEs. Businesses must now understand what personal data they hold, where it is stored, who can access it, and how long it is kept. A structured data audit is a valuable starting point to identify gaps and ensure policies match practice.
Organizations that treat DSARs as routine compliance tasks may miss the bigger picture. These requests are a signal that data practices are under scrutiny. Those that fail to align policies with reality risk turning a simple information request into a serious legal or reputational issue. The challenge for SMEs is clear: adapt quickly or face mounting costs and risks.
As generative AI tools become more widespread, DSARs will only grow more frequent and complex. Businesses that prepare now—by auditing data, improving retention policies, and investing in compliance training—will be better positioned to handle the wave ahead. For SMEs, the time to act is now.
