DSARs in 2025: Stay Ahead of Regulations

DSARs in 2025: Stay Ahead of Regulations

DSARs
June 12, 2025
Blog

As data protection regulations evolve and employee rights awareness grows, organisations are seeing a significant uptick in Data Subject Access Requests (DSARs). Pursuant to Article 15 of the UK and EU General Data Protection Regulation (together the GDPR), individuals have the right to obtain all personal data that a data controller holds about them (subject to a few limited exemptions). DSARs continue to be a critical area of focus for legal and compliance professionals.

On 1 May 2025, Alston & Bird and TransPerfect Legal hosted a webinar titled ‘DSARs in 2025: Stay Ahead of Regulations’. Speakers delved into the challenges, legal nuances and strategic responses shaping the DSAR landscape.

Moderated by Hanna Hewitt, Associate in Alston & Bird’s Privacy, Cyber and Data Strategy team, the session featured expert insights from Kelly Hagedorn, Partner in Alston & Bird’s Privacy, Cyber and Data Strategy team, and Anna Nicola, Director at TransPerfect Legal. The conversation explored best practices and recommendations for navigating increasingly complex DSAR scenarios using past experiences to shape future better practices for attendees.

To assist those who were unable to attend, we have collated key takeaways and statistics from the webinar below.

Webinar Stats at a Glance

  • DSAR Volume: 57% of attendees stated that their organisation receives between 1–10 DSARs annually, whilst 35% handle more than 10 per year.
  • Employee DSAR Risk: 50% of respondents reported that over 80% of employee DSARs are high risk and often linked to employment litigation. An additional 25% estimated that between 40–80% of employee DSARs pose a high risk to the business.
  • Policy Confidence: Only 29% of attendees expressed strong confidence in the application of their retention and deletion policies, leading to complexities in responding to DSARs.
  • Use of Exemptions Guidance: 75% of attendees reported moderate to heavy reliance on ICO/EDPB guidance when applying exemptions, whilst just 13% described themselves as minimally reliant.
  • Technology Use: 44% of attendees use third-party tools for DSAR review and redaction, whereas 11% still rely primarily on manual processes.

The Expanding Volume and Strategic Use of DSARs

DSARs are sometimes used by data subjects – as was intended - to understand what of their personal data a controller has collected and is processing. However, DSARs are increasingly being used for other purposes, most notably as a pre-litigation disclosure mechanism in employment claims.

Around 80% of the DSAR requests TransPerfect Legal handles are tied to parallel claims, whether it's grievances, tribunals or settlement negotiations so they carry a high level of contentious risk’, observed Anna Nicola, underlining the motivations behind many requests. .

Considering this, Anna noted that many clients now proactively engage expert support for DSARs linked to claims, ensuring legal risk is tightly managed from the beginning.blog1

Fig  1: According to webinar polling, over 70% of attendees reported receiving between 5 and 50 DSARs annually, with 36% falling into the 5–10 range.

one

Fig  2: Furthermore, half of attendees indicated that 80% of employee DSARs they receive are considered high risk, whilst a quarter stated that between 40 - 80% of such requests carry significant legal and/or reputational exposure.

Legal Pitfalls and Risk of Over-Disclosure

It is important for organisations to remember that a DSAR only gives a data subject the right to receive a copy of their personal data. A DSAR does not give a data subject a right to receive documents. Therefore, organisations must make sure that they appropriately apply redactions to remove reference to the personal data of others and/or any other information that may fall within one of the exemptions.

Kelly noted that it is important to approach these high-risk DSARs appropriately, and to work with data protection and employment counsel to identify, review and redact materials. The possibility for later arguments during the litigation disclosure process should always be considered and managed carefully.

Anna recounted a case where a third-party payroll provider failed to correctly burn in redactions, meaning that when documents were produced and sent to the data subject, they could simply “delete” the redactions in the PDF. All information was visible to the data subject (i.e., the data subject received significantly more than just a copy of their personal data). What should have been a routine response escalated into a compliance investigation, requiring a complete re-collection and re-review of data, increasing time and costs incurred.

new
Fig  3: Only 29% of webinar participants reported high confidence in their retention and deletion policies. Most respondents signalled the need for significant improvement or a moderate alignment with DSAR obligations.

The panel also discussed the importance of training employees on communication best practices, prevention always being better than cure. For example, considering how an email might appear to the data subject or a third party before hitting send. If it would create legal risk or otherwise be embarrassing, communicate verbally. Organisations should also consider their use of instant messaging platforms such as Microsoft Teams and Slack. Messages sent between employees using such platforms will also have to be reviewed and disclosed as necessary when responding to a DSAR. Notwithstanding these are communication tools in the workplace, there is a subliminal tendency to treat them like personal communication tools. Arguably, they are an even higher risk area for most businesses.

GDPR DSAR Exemptions: How to Apply Them Confidently

In certain circumstances, organisations can rely on exemptions to withhold certain personal data from a data subject. The UK data protection regulator maintains detailed guidance regarding the use of exemptions. Some of the most relied upon exemptions include legal privilege, management forecasting and confidentiality.

‘If you're comfortable, upon careful consideration with the benefit of legal advice, that an exemption applies, then stand firm’, Kelly noted.

Organisations should carefully consider whether an exemption is applicable and seek independent legal advice where necessary. It is always best practice to document when and why an exemption has been relied upon.

three

Fig 4: When asked about reliance on official guidelines, 50% of webinar participants indicated they were moderately reliant on ICO and EDPB guidance, whilst 25% reported heavy reliance. This reflects the ongoing dependence on regulatory interpretation, especially in complex or borderline exemption cases.

Leveraging Technology to Manage DSAR Compliance Complexity

The role of technology in responding to a DSAR has become indispensable, as the number of data sources that organisations rely on multiply. Cloud services, collaboration tools and modern messaging platforms (when coupled with Microsoft Outlook or Google Mail) create a complex environment for data collection and review.

Prior to collecting any documents, organisations should ensure that they have identified all structured and unstructured data sources to ensure that personal data provided to a data subject will be comprehensive.

When carrying out document review, Anna highlighted the importance of using name-specific search terms and including variations like nicknames, common misspellings, aliases and initials. It is crucial to account for linguistic and cultural variations, especially in multinational settings.

Modern attachments, such as cloud-based links contained within documents to either SharePoint or OneDrive, are often missed during standard exports, leading to incomplete responses and increased risk. Failing to capture these links can result in re-collections under time pressure.

In terms of tooling, 44% of respondents rely on third-party software for review and redaction, whilst 11% still use manual processes. 33% indicated use of in-house developed tools, illustrating the diverse maturity levels in DSAR operations.

The fragmented tech stack may explain why one attendee noted a desire for a ‘seamless process from Mimecast to Relativity’ – a reflection of difficulties in managing end-to-end workflows with existing systems.

Training and Awareness: An Organisational Imperative

Human error remains a risk when responding to a DSAR. Without adequate training, even well-intentioned internal teams may misinterpret requests or mishandle data. As complexity grows, so too does the need for a structured and coordinated approach. Both Anna and Kelly stressed the importance of cross-functional alignment between legal, privacy, compliance, IT and HR.

Education should extend across business functions, not just legal and compliance. Individuals receiving initial requests (e.g., HR, customer service) must recognise what qualifies as a DSAR, understand the time constraints and know the internal escalation process. Internal DSAR response processes should be clearly documented, and organisations should ensure all employees are trained on how to identify a DSAR and what to do if one is received. Anna recommended ensuring legal counsel is looped in early, and any external providers are briefed on the broader context. This avoids duplicative work, inconsistent disclosures and unforced errors.

Feedback from webinar participants consistently highlighted gaps in internal understanding. Key responses included the need for ‘more mature infrastructure and internal awareness’, and ‘better coordination amongst business units for data search’. A clear training deficit also emerged, with multiple attendees requesting ‘clearer guidance on disclosure scope’ and faster data retrieval.

Conclusion: A Proactive Approach to an Enduring Obligation

As the webinar highlighted, a reactive approach to DSARs is no longer sufficient. Organisations must embed DSAR readiness into their privacy operations, legal strategies and employee training.

By combining legal rigour, technological precision and internal education, organisations can not only stay compliant – but also reduce reputational exposure and litigation risk.

Despite the operational strain and legal sensitivity surrounding DSARs, the message from the webinar was clear: organisations that invest in preparedness, collaboration and the right tools will be best placed to handle future challenges with confidence.

As Kelly aptly concluded, ‘The pain of DSARs may be real, but so too is the value in getting them right’

TransPerfect Legal and Alston & Bird would be happy to discuss challenges in your DSAR responses and share insights on how to strengthen your cyber security programmes and data privacy challenges. Contact our team for more information.

 

*This article was written by Kelly Hagedorn and Hanna Hewitt, lawyers on the Privacy, Cyber & Data Strategy team at Alston & Bird, in partnership with Anna Nicola, Director of Business Development, and Reuben Miller, Associate in Consulting & Information Governance at TransPerfect Legal.

Alston & Bird’s Privacy, Cyber & Data Strategy team is based in the US, Brussels and London. They are on call to tackle any issue, anywhere, any time. They support leading global brands in critical cybersecurity, incident response, privacy and data protection matters. Their attorneys have broad experience across US and international privacy and security issues and “go deep” in more specialised areas when needed.

By Kelly Hagedorn, Hanna Hewitt, Anna Nicola and Reuben Miller *