Why Most Organisations Are Unknowingly Non-Compliant With DSARs

Navigating Special Cases in Personal Data for DSARs

Most organisations believe they are handling Data Subject Access Requests (DSARs) correctly.

They acknowledge requests, gather data, redact documents, and issue responses within roughly the required timelines. On paper, this looks compliant.

In practice, many DSAR workflows fail fundamental GDPR requirements.

These failures are rarely caused by negligence or bad intent.
They are structural.

The Silent Compliance Gap in DSAR Handling

Most organisations believe they are handling Data Subject Access Requests (DSARs) correctly.

They acknowledge requests, gather data, redact documents, and issue responses within roughly the required timelines. On paper, this looks compliant.

In practice, many DSAR workflows fail fundamental GDPR requirements.

These failures are rarely caused by negligence or bad intent.
They are structural.

The operational model for DSAR compliance was designed for a world of paper records and contained email systems. In that environment, personal data was relatively easy to locate, review, and assemble.

Today’s data environments look nothing like that.

Personal data now lives across email inboxes, cloud storage, CRMs, SaaS platforms, collaboration tools, HR systems, backups, and shadow IT. It exists in unstructured formats, duplicated files, long email chains, attachments, and logs.

The original DSAR process has not survived this transition.

As a result, many organisations are now unknowingly non-compliant with GDPR DSAR obligations — even when acting in good faith.

2. What GDPR Actually Requires in a DSAR

GDPR Article 15 imposes operational obligations that go far beyond simply exporting documents and sending them to a requester.

In practical terms, a compliant Data Subject Access Request process requires:

  • A response within one month of receipt (with limited, justifiable extensions)

  • Confirmation of whether personal data is being processed

  • Access to all personal data relating to the requester

  • Removal or redaction of third-party data

  • Reasonable assurance that the data provided is complete and accurate

  • Evidence that a compliant DSAR workflow was followed

These requirements transform DSAR handling into a verifiable operational process.

Organisations must be able to prove not just that they responded to a DSAR, but that they searched comprehensively, redacted correctly, and followed a defensible workflow.

This is where most manual DSAR processes break down.

3. Where DSAR Compliance Breaks in Practice

Most organisations’ DSAR workflows fail at multiple operational layers.

Fragmented Data Sources

Personal data is scattered across:

  • Email inboxes and archives

  • Shared drives and cloud storage

  • CRM platforms

  • HR systems

  • Support ticketing systems

  • SaaS applications and collaboration tools

  • Backups and exported files

There is rarely a single system of record for personal data.

Manual Data Discovery

Teams rely on keyword searches, exports, and manual review.

This routinely misses:

  • Unstructured data

  • Embedded references

  • Attachments

  • Personal data held in secondary systems

As a result, many DSAR responses are incomplete without teams realising it.

Ad-Hoc Redaction

Most organisations still redact DSAR responses using:

  • PDF editors

  • Visual overlays

  • Manual black boxes

Many of these methods:

  • Do not permanently remove data

  • Are inconsistent between reviewers

  • Are not verifiable

  • Fail regulator scrutiny

This creates serious redaction risk and third-party data exposure.

No Deduplication

Email chains, forwarded messages, and attachments generate multiple instances of the same content.

Without deduplication:

  • Review volumes inflate unnecessarily

  • Redaction risk multiplies

  • Verification becomes harder

  • Third-party data exposure increases

No Audit Trail

Actions are not logged in a consistent or immutable way.

There is no reliable record of:

  • What systems were searched

  • When searches were performed

  • Who performed them

  • How redaction decisions were made

Without an audit trail, organisations cannot prove DSAR compliance.

No Verification or Version Control

Edits go untracked.
Outputs are not systematically cross-checked for completeness or accuracy.

Each of these failures is survivable in isolation.

Together, they create silent non-compliance.

4. Why Most Teams Don’t Realise They’re Non-Compliant

Most organisations do not discover these failures until something goes wrong.

Several factors create a false sense of security:

“We’ve Never Had a Complaint”

A lack of complaints is interpreted as proof of compliance.

In reality, many data subjects never challenge incomplete responses.

Low DSAR Volumes

For organisations receiving only occasional DSARs, broken workflows appear functional.

They collapse only when:

  • Scope expands

  • Document volume spikes

  • Regulatory scrutiny increases

Partial Responses Mistaken for Compliance

Teams provide some data and assume completeness.

There is no mechanism to verify totality or accuracy.

Limited Regulatory Scrutiny

Routine DSAR handling is rarely audited proactively.

Failures surface only during:

  • Investigations

  • Enforcement actions

  • Litigation

This creates the illusion of compliance until external pressure exposes the gaps.

5. The Legal and Operational Risk This Creates

These structural weaknesses create concrete compliance risk.

They expose organisations to:

  • Missed statutory DSAR deadlines

  • Inconsistent or faulty redaction

  • Third-party data leakage

  • Incomplete or inaccurate disclosures

  • Inability to defend compliance during audits

  • Litigation exposure from data subjects

  • Regulatory fines for systemic GDPR failures

When organisations cannot demonstrate that a compliant DSAR workflow was followed, they struggle to defend their position — even when acting in good faith.

6. What a Modern DSAR Workflow Actually Requires

DSAR compliance now requires infrastructure, not improvised workflows.

A defensible modern Data Subject Access Request process includes:

Centralised Intake

All requests captured, timestamped, and tracked in one system.

Identity Verification

Structured verification to prevent unauthorised disclosure.

Data Discovery Across Systems

Comprehensive scanning across:

  • Email

  • Cloud storage

  • CRMs

  • File systems

  • SaaS platforms

Deduplication

Automated detection of duplicate and near-duplicate records.

Structured Redaction

Rule-based, permanent redaction of third-party and sensitive data.

Secure Delivery

Controlled, encrypted response delivery.

Audit Logging

Immutable logs of searches, actions, decisions, and timelines.

This is no longer a legal admin task.

It is a data-operations workflow.

7. DSAR Compliance Is Now a Data-Operations Problem

DSAR compliance has quietly become an operational infrastructure challenge.

It can no longer be treated as:

  • A one-off legal exercise

  • A manual workflow bolted onto existing systems

  • A task performed only when requests arrive

Modern data environments require permanent compliance operations.

Forward-looking organisations are now redesigning DSAR handling as a standing operational capability — not a reactive legal obligation.

This shift is not about automation for convenience.

It is about building DSAR workflows that survive:

  • Scale

  • Audits

  • Regulatory scrutiny

At DSAR.ai, this is the problem we are building infrastructure around.