How AI is turning Data Subject Access Requests into a problem for SMEs

A data subject access request (DSAR) is a formal request made by an individual to an organisation, asking to see the personal data that the organisation holds about them. This right is protected under data protection legislation (the UK GDPR), and organisations are usually obliged to respond within a month.

For SMEs, DSARs have historically been a rarity. That is changing fast.

Generative AI tools mean employees and customers of these SMEs can draft a detailed letter of request in seconds. The challenge for SMEs is that these requests are often broad in scope and at the same time very detailed about where the requester wants the SME to search – often a sweeping request for their data.  The UK GDPR makes it difficult to narrow the scope of these requests. A simple email asking for information can become a significant headache for SMEs – one that risks exposing gaps in data management, drawing attention to compliance issues and can even lead to legal claims or regulatory action.

When ChatGPT meets UK GDPR

Until recently, most DSARs were straightforward and fairly limited in scope. Now, AI tools can generate one in seconds – often packed with phrases like “all emails, notes, messages and metadata relating to me” and similar fine‑print‑style wording that stretches the request much further.

That does not just increase the number of requests people can make; it changes their scope and detail (whether the requester really intended to do so or not). What used to be a narrow ask for a few documents is now a wide-ranging search exercise across HR records, inboxes, chats, archives and more.

Why DSARs are getting more tactical

DSARs are increasingly being used in employment disputes as a way to quietly gather information before formal disclosure begins.

An employee involved in a grievance, disciplinary issue or tribunal claim might submit a DSAR alongside it. It is a low-cost way to see what turns up: emails, notes, WhatsApp style messages, or even earlier drafts of documents. Where AI is now shaping the request, that can mean asking for archived material or third-party information that needs careful redaction.

For individuals, this can feel like a small, smart move. For businesses, it can quickly become a time consuming and costly exercise – especially if the wording is broad and vague.

Why SMEs feel it most

No matter how broad the request is, the law requires organisations to carry out “reasonable searches” when responding to a DSAR. For larger companies with in-house compliance teams, that can be time-consuming, but manageable. For SMEs, it is often much harder.

If a request asks for, for example, “all communications relating to me over the past 18 months,” the amount of material to review can quickly spiral. HR, IT and legal teams often have to trawl through email archives, messaging platforms and shared drives. They need to decide what’s in scope, what can be redacted and what might be exempt.

Many small businesses do not have in-house privacy expertise, so end up needing to bring in external support. That adds cost while they are also facing a one-month deadline to respond.

The real risks of DSARs

When businesses deal with DSARs, they often focus on what the request might reveal about them. But just as important is what it reveals about their data practices.

A DSAR can act as a window into wider data compliance. It forces an organisation to confront questions such as: what personal data do we actually hold? Why are we keeping it? How long is it stored? And do our policies match what happens in practice?

Where personal data is held outside the UK, it may also raise issues around international transfers – something that is closely watched by regulators.

DSARs can also expose weak retention practices, such as email archives that go back years longer than they should. It might show that a business is not following its own privacy notices. This is especially risky where sensitive special category data is involved – information about someone’s health, religion, sexuality, trade union membership – all of which are heavily protected under UK GDPR.

Information about criminal convictions also requires extra care. If a DSAR reveals that this data was collected, kept or shared without a proper legal basis, the organisation could face regulatory scrutiny, reputational damage or even legal action.

What SMEs should be doing now

DSARs are just one example of how technology is making it easier for individuals to assert their rights and to push for information. As generative AI becomes more widely used, there is no reason to expect this to slow down.

These requests are no longer a niche compliance issue. They are becoming a regular part of the risk landscape for businesses of all sizes, and a particularly painful one for SMEs with limited resources.

Now is the time for businesses to understand what personal data they hold. They need to know where it is stored, who can access it and how long it is kept. A structured data audit is a valuable starting point to help organisations identify those answers and assess whether their policies reflect reality.

The businesses that handle DSARs well will be those that treat them not as a one‑off chore, but as a signal that their data practices are under the spotlight. If those practices are not up to scratch, a simple request for information can quickly become something far more serious.

How we can help

If you would like to discuss any matters relating to data and technology, please email Douglas McLachlan,  or contact a member of our specialist team. 

This article has been published in the below publications 

SME Today

Small Business