AI-Generated DSARs Are Reshaping Compliance Obligations

US companies subject to UK data protection laws are facing a significant rise in data subject access requests (DSARs). According to a Ropes & Gray article, a key driver for this increase is generative AI, which enables individuals to produce expansive requests in seconds.

These demands go far beyond general inquiries and instead search for every detail, fundamentally altering both the volume and complexity of DSARs that controllers must manage.

Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), individuals have the right to confirmation of processing and access to their personal data. AI-generated DSARs now routinely demand disclosure across every conceivable system, from emails to audit trails, and require granular explanations of redactions and search methodologies.

Regulators are registering the impact: the Information Commissioner’s Office (ICO) reports that Article 15 UK GDPR complaints are the single largest category of data protection complaints. Berlin’s data protection authority recorded nearly 50% more complaints in 2025 than 2024, a surge attributed to AI-assisted drafting.

Companies can manage this issue with several practical measures. The Data (Use and Access) Act requires only reasonable and proportionate searches, and permits controllers to pause the statutory clock to seek clarification on overly broad requests.

Early engagement with requesters to narrow the scope, combined with careful documentation of the proportionality rationale, creates a defensible compliance record. Ironically, AI-driven data discovery tools can help organizations efficiently process rising DSAR volumes.

This trend has meaningful implications across enterprise risk management, regulatory compliance, and operational governance. Counsel should evaluate existing DSAR workflows for defensibility, ensure documentation practices align with current ICO guidance, and assess exposure to regulatory problems due to poor responses.

Mergers and acquisitions (M&A), DSAR backlogs, and compliance infrastructure should be factored into due diligence and integration planning.