DSAR volumes across the UK continue to climb, and alongside that growth there has been a noticeable rise in fraudulent or impersonation-based requests. What used to be unusual is now appearing regularly in DSAR inboxes. Early 2025 data shows higher request volumes, more ICO complaints and more organisations reporting suspicious patterns such as mismatched identities, burner email accounts, automated DSAR bursts and requests used to gather information ahead of litigation.

Because a DSAR sits at the point where internal data meets an external individual, a single fraudulent request that slips through can become a privacy incident, a complaint or even a breach that requires notification.

Why fraudulent DSARs matter now

Fraudulent DSARs create three forms of risk.

Legal and regulatory risk

If an organisation releases personal data to the wrong person, it is a breach under UK GDPR. Penalties can reach four percent of global turnover. DUAA 2025 raises expectations even further, so claiming uncertainty or oversight is no longer a safe position.

Privacy risk for genuine data subjects

Fraudsters increasingly use DSARs to try to access information that can be used for identity theft or targeted scams. If they obtain real records, the impact is immediate.

Operational and reputational risk

Fraudulent or mass-generated DSARs drain resources, create backlogs and raise the risk of mistakes. Some organisations have reported thousands of requests arriving in short windows, often from automated scripts. In sectors like finance and healthcare, where ICO complaints are already significant, even one mishandled response can damage trust.

DUAA 2025 makes identity verification unavoidable

The Data Use and Access Act 2025 turns identity verification into a clear legal expectation. It reinforces the idea that organisations must take proportionate steps to confirm who they are dealing with before releasing personal data.

Important points include:

• The ability to pause DSAR timelines while verifying identity or seeking clarification

• A statutory expectation that searches and responses remain reasonable and proportionate

• Heightened attention on requests that appear unfounded or disruptive

Identity verification is no longer a best practice. It is now essential to compliance.

How to protect against fraudulent DSARs without creating unnecessary barriers

Fraud prevention must be balanced with accessibility. The strongest DSAR models introduce checks that make sense for the level of risk involved.

Apply proportionate identity checks

Use methods that reflect how the organisation normally interacts with the requester, such as student IDs, employee numbers, NHS numbers or secure reply-to-sender confirmations.
Avoid overly intrusive steps like demanding passport scans unless there is a genuine need.

Use DSAR intake risk scoring

Flag indicators such as:

• IP locations that do not align with the requester

• Brand-new email accounts

• Large numbers of requests submitted in a short period

• Missing or inconsistent details

• Requests connected to potential litigation

This helps teams route high-risk cases for extra checks.

Standardise verification processes

Ensure handlers follow the same steps each time, especially for:

• Routine requests

• Requests involving sensitive data

• Requests that appear suspicious

• Cases that need escalation

Consistency is one of the strongest protections against complaints.

Keep a complete verification record

Every check should be logged. The record should show what was verified, why it was necessary and how identity was confirmed.
This protects the organisation if a requester challenges the process, and it helps justify decisions during audits.

How DSAR platforms support fraud prevention

Modern DSAR platforms help by:

• Prompting identity verification at the right moments

• Flagging unusual or high-risk patterns

• Keeping clear audit logs of the verification process

• Reducing manual steps that often lead to errors

DSAR.ai, for example, can highlight suspicious traits, guide handlers through proportionate verification and build a complete audit trail that supports defensible compliance.

The takeaway

Fraudulent DSARs are becoming more common, and DSAR teams cannot rely on informal checks or assumptions. With DUAA enforcement strengthening and request volumes rising, organisations need to focus on proportionate verification, consistent processes and proper documentation.

The organisations that put these controls in place will reduce complaints, lower breach risk and build trust. Those that delay may find themselves facing avoidable incidents and regulatory scrutiny.