How AI is changing data subject access requests for SMEs

Data subject access requests (DSAR) allow individuals to request access to the personal information organizations hold about them, a right protected under the UK GDPR. Traditionally, small and medium-sized enterprises (SMEs) faced few such requests, but this trend is rapidly changing due to advancements in generative AI tools.

With AI enabling employees and customers to draft comprehensive DSARs in a matter of seconds, organizations are now confronted with broader, more complex requests. These wide-ranging inquiries may demand access to extensive records, including emails, chat messages, and other documents, complicating compliance efforts for SMEs that often lack the resources to manage them effectively. As such requests increase, SMEs must contend with the potential discovery of data management gaps that could lead to compliance issues and legal repercussions.

DSARs are also gaining traction as tools in employment disputes, enabling employees to gather pertinent information before initiating formal legal proceedings. While this approach may appear tactical for individuals, it places a substantial burden on SMEs, which may have to enlist external expertise to respond within a legally mandated one-month timeframe.

Organizations are legally required to conduct "reasonable searches" for requested information; however, SMEs typically do not have dedicated compliance teams, leading to potential delays and additional costs. Furthermore, poorly managed personal data practices can arise to the surface through a DSAR, prompting critical questions about data retention, access, and compliance with legal obligations.

As generative AI continues to shape these requests, SMEs are encouraged to conduct comprehensive data audits to understand their holdings, improve compliance protocols, and treat DSARs as opportunities to enhance their data management practices.

Why this story matters