What Makes a DSAR Request Complex? How to Identify and Handle High-Risk Cases

Not every DSAR is difficult.

Some are straightforward. You locate the data, review it, redact where needed, and respond.

Others aren’t like that at all.

They start simple, then expand — more systems, more data, more people involved. That’s where things slow down, and where most of the real risk sits.

---

What makes a DSAR request complex?

A DSAR becomes complex when it stops being contained.

That usually happens when:

• the volume is large
• the data sits across multiple systems
• third-party information is involved
• the request itself is unclear

There’s no strict definition under GDPR. It’s a judgment call.

If a request takes significantly more effort to process, or introduces more risk than usual, it’s complex.

---

What do complex DSARs actually look like?

In practice, they tend to fall into a few patterns.

Long history, large volume
A customer or employee asks for years of data. What sounds simple quickly turns into thousands of files across emails, systems, and archives.

Data spread everywhere
Information isn’t in one place. It’s in inboxes, shared drives, HR systems, Slack, cloud storage — sometimes even with vendors.

Third-party data mixed in
Email threads are the usual problem. You’re not just dealing with one person’s data, but several, all in the same conversation.

Sensitive information
Anything involving health, finance, or internal investigations needs more careful handling and more checks.

Vague requests
“All data you hold about me” sounds straightforward, but it rarely is. You end up going back and forth just to define the scope.

Most complex DSARs aren’t one of these. They’re a combination.

---

Why do complex DSARs take longer?

Because nothing moves cleanly from one stage to the next.

Data collection takes longer because you don’t know where everything is.
Classification slows down because there’s more ambiguity.
Redaction takes more time because decisions aren’t obvious.

And then you get rework.

Something gets missed early, and it shows up later — during review or redaction. Now you’re going back, fixing it, and losing time.

That’s usually where deadlines start slipping.

---

What makes these requests harder to manage?

It’s not just the volume.

It’s everything around it.

• You’re pulling in multiple teams
• You’re making more judgment calls
• You’re documenting more decisions
• You’re more likely to be challenged

And all of this is happening under a deadline.

---

How do you spot a complex DSAR early?

This is where most teams lose time.

By the time they realise a request is complex, they’re already behind.

You can usually tell early if you look for it:

• The request is broad or unclear
• It likely touches multiple systems
• There’s a high chance of third-party data
• The person requesting has a long history with the organisation

Even a quick check at intake can give you a good sense of what you’re dealing with.

---

How should complex DSARs be handled?

You don’t handle them the same way as everything else.

That’s the mistake.

A few things make a big difference:

Set expectations early
If it’s going to take longer, say so. Extensions are allowed — but only if you communicate them properly.

Try to narrow the scope
Sometimes a quick clarification saves hours of unnecessary work.

Avoid working in a straight line
If everything is done one after the other, delays build up. Breaking work across people or stages helps.

Keep decisions consistent
Especially for redaction and classification. Inconsistency is what causes rework later.

Document as you go
Not at the end. By then, you’ve already forgotten why decisions were made.

---

Final thought

Complex DSARs aren’t rare anymore.

They’re becoming normal.

The teams that handle them well aren’t necessarily faster — they just recognise complexity early and adjust how they work.

That’s what keeps timelines under control.