Data subject access requests (DSAR) are formal requests made by an individual to an organisation, asking to see the personal data that the organisation holds about them. This right is protected under data protection legislation (the UK GDPR), and organisations are usually obliged to respond within a month.

For SMEs, DSARs have historically been a rarity. That is changing fast.

Generative AI tools and bots mean employees and customers of these SMEs can draft a detailed letter of request in seconds. The challenge for SMEs is that these requests are broad in scope and hard to narrow – often a sweeping request for their data. A simple email asking for information is becoming a significant headache for SMEs – one that risks exposing gaps in data management, drawing attention to compliance issues and can even lead to legal claims or regulatory action.

When ChatGPT meets UK GDPR

A DSAR is simply a formal way for someone to ask what personal data an organisation holds about them. That right sits under UK GDPR, and the ICO’s guidance explains how it should be handled.

Until recently, most DSARs were straightforward and fairly limited in scope. Now, AI tools can generate one in seconds – often packed with phrases like ‘all emails, notes, messages and metadata relating to me’ and similar fine‑print‑style wording that stretches the request much further.

That does not just increase the number of requests people can make; it changes what they look like. What used to be a narrow ask for a few files is now a wide-ranging search exercise across HR records, inboxes, chats, archives and more.

Why DSARs are getting more tactical

DSARs are increasingly being used in employment disputes as a way to quietly gather information before formal disclosure begins.

An employee involved in a grievance, disciplinary issue or tribunal claim might submit a DSAR alongside it. It is a low-cost way to see what turns up: emails, notes, WhatsApp style messages or even earlier drafts of documents. Where AI is now shaping the request, that can mean asking for archived material or third-party information that needs careful redaction.

For individuals, this can feel like a small, smart move. For businesses, it can quickly become a time consuming and costly exercise – especially if the wording is broad and vague.

Why SMEs feel it most

No matter how broad the request is, the law requires organisations to carry out ‘reasonable searches’ when responding to a DSAR. For larger companies with in-house compliance teams, that can be time-consuming but manageable. For SMEs, it is often much harder.

If a request asks for, for example, ‘all communications relating to me over the past 18 months’, the amount of material to review can quickly spiral. HR, IT and legal teams often have to trawl through email archives, messaging platforms and shared drives. They need to decide what’s in scope, what can be redacted and what might be exempt.

Many small businesses do not have in-house privacy expertise, so end up needing to bring in external support. That adds cost while they are also facing a one-month deadline to respond.

The real risks of DSARs

When businesses deal with DSARs, they often focus on what the request might reveal about them. But just as important is what it reveals about their data practices.

A DSAR can act as a window into wider data compliance. It forces an organisation to confront questions such as: what personal data do we actually hold? Why are we keeping it? How long is it stored? And do our policies match what happens in practice?

Where data is held outside the UK, it may also raise issues around international transfers – something that is closely watched by regulators.

DSARs can also expose weak retention practices, such as email archives that go back years longer than they should. It might show that a business is not following its own privacy notices. This is especially risky where sensitive special category data is involved – health, religion, sexuality, trade union membership – all of which are heavily protected under UK GDPR.

Information about criminal convictions also requires extra care. If a DSAR reveals that this data was collected, kept or shared without a proper legal basis, the organisation could face regulatory scrutiny, reputational damage or even legal action.

What SMEs should be doing now

DSARs are just one example of how technology is making it easier for individuals to assert their rights and to push for information. As generative AI becomes more widely used, there is no reason to expect this to slow down.

These requests are no longer a niche compliance issue. They are becoming a regular part of the risk landscape for businesses of all sizes, and a particularly painful one for SMEs with limited resources.

Now is the time for businesses to understand what personal data they hold. They need to know where it is stored, who can access it and how long it is kept. A structured data audit is a valuable starting point to help organisations identify those answers and assess whether their policies reflect reality.

The businesses that handle DSARs well will be those that treat them not as a one‑off chore, but as a signal that their data practices are under the spotlight. If those practices are not up to scratch, a simple request for information can quickly become something far more serious.

Douglas McLachlan is partner and head of data and technology at Anderson Strathern.

Read more

What should I do if I get a subject access request? – With GDPR came an update to the subject access request policy. What should you do if a customer or an employee sends you one?