Data Subject Access Requests
explained and solved

A Data Subject Access Request — commonly referred to as a DSAR — is a formal request made by an individual to an organisation asking for a copy of the personal data that organisation holds about them. This right is established under Article 15 of the UK and EU General Data Protection Regulation (GDPR), and equivalent provisions exist in data protection laws across Australia, Canada, and other jurisdictions.

Individuals submit DSARs for a variety of reasons. Some want to understand what information an employer or former employer holds about them. Others are preparing for litigation, investigating a grievance, or simply exercising their legal right to transparency. Regardless of motive, organisations are legally required to respond.

A valid DSAR response means locating all personal data the organisation holds about the requester — across email, documents, HR systems, chat platforms, file shares, and databases — and providing a copy within one calendar month. Extensions are possible for complex requests, but the default expectation is clear: one month.

In practice, this is far harder than it sounds. A single employee may appear across thousands of emails, hundreds of documents, multiple chat threads, and several internal systems accumulated over years of employment. Finding all of that data, reviewing it for exemptions, and redacting third-party information before disclosure is a significant operational burden — one that catches many organisations off guard.

The core challenge with DSARs is not understanding the obligation — it is fulfilling it. Most organisations store personal data across dozens of systems: email servers, shared drives, HR platforms, CRM tools, chat applications, and legacy databases. There is no single button that retrieves everything related to one person.

Once data is collected, every document must be reviewed individually. Reviewers need to determine whether each item falls within scope, whether it contains the requester's personal data, and whether any exemptions apply. Legal professional privilege, commercial confidentiality, and management planning exemptions all require careful, document-by-document assessment.

Then comes redaction. Before disclosing documents, organisations must remove third-party personal data — names, email addresses, phone numbers, and other identifying information belonging to people who are not the requester. In a single email chain, this can mean redacting dozens of references across multiple participants. Across thousands of documents, the effort is enormous.

Traditional approaches rely on paralegals or junior lawyers reviewing documents one at a time, often in general-purpose tools like Adobe Acrobat or Microsoft Word. At typical legal review rates, a DSAR involving 5,000 documents can cost tens of thousands in legal fees and consume weeks of effort. Larger requests — common in employment disputes and regulatory investigations — can run into six figures.

The legal risk is real. An incomplete response, a missed document, or an accidental disclosure of third-party data can lead to ICO complaints, regulatory enforcement, and reputational damage. The one-month deadline adds constant pressure to a process that demands both speed and precision.

Dezcry is an AI-powered eDiscovery platform designed to replace fragmented, manual workflows with a single, structured process. Rather than coordinating across spreadsheets, shared folders, and standalone PDF tools, teams work within one environment from ingestion through to final disclosure.

The workflow starts with data collection. Documents, emails, and attachments from relevant sources are uploaded into a matter workspace. Dezcry handles common formats — PST mailboxes, PDFs, Office documents, images, and plain text — and extracts searchable content automatically, including OCR for scanned documents.

Once ingested, AI-powered classification identifies which documents are likely within scope and which can be deprioritised. This reduces the volume reviewers need to examine manually, focusing attention where it matters most.

AI redaction then identifies personal data belonging to third parties, sensitive categories, privileged content, and confidential information — applying consistent redaction suggestions across the entire document set. Redactions are applied automatically based on configurable rules, eliminating the repetitive work of locating and marking up every reference by hand. Teams choose how much review to layer on top — from full document-level QC to statistical sampling.

The result is a defensible, auditable process that produces a disclosure-ready package in a fraction of the time. Every action — uploads, classifications, redaction decisions — is logged, creating a clear record of what was done and why.

One of the biggest time sinks in any DSAR is deciding which documents are actually relevant. A data collection covering five years of email might contain 20,000 items, but only a fraction will contain the requester's personal data in a meaningful way. Newsletters, automated notifications, and company-wide announcements add noise without adding substance.

Dezcry uses AI-powered classification to analyse each document and assess its relevance to the request. The system evaluates content, metadata, and context to determine whether a document is likely within scope, potentially within scope, or clearly outside scope. This produces a prioritised review queue rather than an undifferentiated pile of files.

The practical impact is significant. Instead of reviewing every document sequentially, reviewers can focus on high-relevance items first, defer borderline documents for secondary review, and quickly confirm that out-of-scope material has been correctly excluded. For a request involving 10,000 documents, classification can reduce the active review set by 60 to 80 percent.

Classification also supports consistency. Rather than relying on individual judgement calls that vary from person to person, the AI provides a uniform baseline assessment across the entire document set. Teams can configure how classification results are used — whether as automatic filtering or as a starting point for targeted review.

Redaction is where DSAR costs escalate most sharply. Before disclosing documents, organisations must identify and remove personal data belonging to third parties — colleagues, customers, external contacts — whose information appears alongside the requester's. They must also identify sensitive personal data (health information, trade union membership, political opinions), commercially confidential material, and content protected by legal professional privilege.

In a traditional workflow, a reviewer opens each document, reads it, manually highlights every name, email address, phone number, and identifying reference that belongs to someone other than the requester, and applies a redaction. For a single email thread with ten participants and fifty messages, this process can take an hour or more. Multiply that across thousands of documents and the cost becomes prohibitive.

Dezcry approaches this differently. The platform uses a multi-layered AI redaction pipeline that automatically identifies personal data, categorises it, and generates redaction suggestions across the entire document set. The system detects names, email addresses, phone numbers, dates of birth, financial identifiers, national insurance numbers, and other personal data types — then distinguishes between the requester's data (which should be disclosed) and third-party data (which should be redacted).

Beyond basic personal data, the AI identifies patterns that signal sensitive categories: references to medical conditions, mental health, disabilities, sexual orientation, religious beliefs, and political affiliations. It also flags content that may be legally privileged — communications with lawyers, legal advice, and litigation-related material — for separate review.

The critical advantage is consistency at scale. A human reviewer working through their 500th document will inevitably miss references that they would have caught on their 50th. Fatigue, distraction, and the sheer monotony of manual redaction introduce errors. The AI applies the same detection logic to every document with the same rigour, regardless of volume.

The system is designed to automate redaction at scale, not just suggest it. Redactions are applied automatically based on configurable rules and confidence thresholds — there is no requirement to approve every individual mark-up. Teams can tailor the workflow to their needs: some choose to review every redacted document, others perform quality checks across a statistical subset of results. The platform supports both approaches and everything in between. All actions are logged, creating a complete audit trail regardless of which review model is used.

The cost impact is substantial. Redaction work that would take a team of paralegals weeks to complete manually can be reduced to days. For organisations handling multiple DSARs per month, the cumulative savings in review hours, external legal fees, and operational overhead can reach tens of thousands per year.

Just as importantly, the process is defensible. If a regulator or requester challenges the adequacy of a response, the organisation can demonstrate exactly how each document was processed, what redaction rules were applied, and how each decision was reached. This level of traceability is difficult to achieve with manual workflows and practically impossible at volume.

To illustrate how the process works in practice, consider a typical scenario: an organisation receives a DSAR from a former employee who worked in the company for six years.

Step 1 — Scoping and collection. The privacy team identifies the relevant data sources: the employee's email mailbox (exported as a PST file), HR records, shared drive folders, and relevant Teams or Slack messages. These are exported from source systems and prepared for upload.

Step 2 — Ingestion. The collected files are uploaded into a new matter workspace in Dezcry. The platform processes each file — extracting text, parsing email metadata, running OCR on scanned documents, and building a searchable index. A collection of 8,000 documents is typically processed within hours.

Step 3 — AI classification. Dezcry analyses the full document set and classifies each item by relevance. Out of 8,000 documents, the system identifies 2,400 as clearly within scope, 1,100 as borderline, and 4,500 as outside scope — turning an undifferentiated backlog into a structured, prioritised workflow.

Step 4 — AI redaction. The platform runs its redaction pipeline across the in-scope documents, identifying third-party personal data, sensitive information, and potentially privileged content. Redactions are applied automatically based on configurable rules and confidence thresholds.

Step 5 — Quality control. Depending on the organisation's workflow, the team may review every redacted document, perform QC across a statistical subset, or focus only on flagged edge cases. The platform adapts to the level of oversight each team requires.

Step 6 — Export and disclosure. Once review is complete, Dezcry generates a disclosure package — redacted documents ready for delivery to the requester. The full audit trail — every classification, redaction decision, and QC action — is preserved for the organisation's records.

A process that might take three to four weeks using manual methods can be completed in days, well within the one-month statutory deadline and with a clear, defensible record of the work performed.

Dezcry is built for teams that need to respond to DSARs efficiently without sacrificing quality or defensibility. The platform delivers measurable improvements across the metrics that matter most.

• Faster response times. AI classification and redaction compress weeks of manual work into days, keeping responses well within the one-month statutory deadline — even for large, complex requests.
• Lower cost. By reducing the volume of documents requiring manual review and automating the most labour-intensive step — redaction — Dezcry significantly cuts the internal staff time and external legal spend associated with each request.
• Consistent redactions. The AI applies the same detection and categorisation logic to every document, eliminating the inconsistencies that arise when large document sets are processed manually.
• Defensible process. Every action in the platform is logged. Classifications, redactions, QC decisions, and exports are all recorded, providing a complete audit trail that stands up to regulatory scrutiny.
• Scalable for large data volumes. Whether a request involves 500 documents or 50,000, Dezcry processes the full set through the same pipeline. The platform scales with the data rather than requiring proportionally more people.
• Reduced legal risk. Systematic processing reduces the chance of missed documents, accidental disclosures of third-party data, or inconsistent application of exemptions — the errors that most commonly trigger complaints and enforcement action.
• Improved operational efficiency. Privacy and legal teams spend less time on repetitive document handling and more time on the judgement calls that actually require their expertise.