At a Glance
- Rising DSAR complexity is driven by regulatory changes and increased public awareness.
- AI-powered review in RelativityOne dramatically reduces false positives and accelerates turnaround.
- Best-practice lifecycle includes usingtargeted collection, proportionate scoping, AI-assisted review, robust QC, and automated redaction.
- Real-world results are in ... cutting review by more than half, hitting deadlines with days to spare, and impressing clients with cost predictability.
Data Subject Access Requests (DSARs) have always been a fundamental part of privacy rights, giving individuals the ability to see and understand the personal data an organisation holds on them. But in the last few years, the nature of these requests has changed dramatically. And now, they’re more demanding than ever.
The volumes of requests are climbing as public awareness grows, and new regulations expand the definition of personal data to include not only what’s collected, but also how it’s used, shared, and even applied in automated decision-making. The result is a much more complex, labour-intensive process.
This complexity is compounded by heightened regulatory scrutiny. In the UK, the Information Commissioner’s Office (ICO) has taken action against organisations that miss deadlines or submit incomplete responses. A single delay or an overly broad interpretation of the request can trigger enforcement proceedings, tribunal claims, or compensation payouts. With timelines tight (typically one month unless an extension is justified), compliance teams have little room for error.
A further challenge is the rise of what some call “weaponised” DSARs. Disgruntled former employees and litigants increasingly use them as a pressure tactic or fishing expedition, looking for material to support claims or to put the organisation on the defensive. While a customer DSAR may return a manageable number of documents, an employee request, especially from someone who’s been with the company for years, can generate thousands of potentially responsive files, many of which are irrelevant. This surge in volume and complexity makes manual, spreadsheet-driven approaches untenable.
How Technology, and AI in Particular, Changes the Game
With this increased complexity, DSAR reviews need to be tackled much like litigation discovery: sifting through large data sets from multiple sources, under tight deadlines, with a need for accuracy and defensibility. That’s why we’ve found RelativityOne and Relativity aiR for Review to be such a strong fit. Its search, review, redaction, and audit capabilities are purpose-built for these challenges, allowing teams to manage DSARs with the same discipline they apply to e-discovery. Generative AI brings even greater efficiency to the process.
Before, reviewers were forced to rely on broad keyword searches, which flag every document in which a data subject appears without understanding the context of the document. Now, aiR for Review can distinguish the documents where data subjects are actually meaningfully discussed—filtering out irrelevant “CC’d” mentions and cutting straight to the relevant content. It goes beyond pattern recognition to identify sensitive information using the surrounding narrative, and because every decision is supported with rationales and citations, the AI-assisted workflow remains transparent and defensible.
Perhaps most importantly, aiR for Review helps contain costs. By triaging irrelevant material before human review begins, it keeps DSAR fulfilment proportionate to the request, even when the initial scope is broad. This not only improves turnaround times; it prevents the request from becoming a financial burden.
Best Practices for a DSAR from Intake to Disclosure
An effective DSAR workflow is about more than just processing data quickly—it’s about controlling scope, ensuring proportionality, and creating a defensible, repeatable process.
RelativityOne and aiR for Review provide the tools, but strategy and process discipline are what enables the workflow to be truly efficient.
1. Collection – Targeted, Defensible Data Gathering
- Principle: Collect only what’s necessary to meet the request, while preserving the integrity of the data. Overcollection increases review time and costs without adding value.
- In Practice: Identify custodians and data sources early, then use Collect in RelativityOne to defensibly pull data directly from platforms like Microsoft 365, Google Workspace, and Slack.
- Apply date ranges, custodian lists, and targeted file type filters to keep collections focused. Record these parameters and document steps taken for defensibility.
2. Scoping – The Most Strategic Step in DSAR Success
- Principle: Scoping isn’t just about limiting the data set. It’s about engaging with the requester to shape the request into something reasonable, proportionate, and more revealing. Pushing back with the right questions often uncovers the requester’s true focus—whether that’s performance reviews, grievances, or a specific incident—which allows you to anticipate follow-up queries and plan ahead. By effectively using additional features of RelativityOne prior to aiR for Review, you can refine your data and determine the appropriate population to analyse with AI.
- In Practice:
- Use RelativityOne’s saved searches and dtSearch to test different keyword/date combinations before review starts.
- Generate search term reports to show hit counts and demonstrate why certain refinements will return more relevant results.
- Where possible, suggest targeted keyword groups tied to events or topics (e.g., “project X,” “grievance,” “incident date”), and agree on narrower date ranges.
- Document all communications and decisions to help you justify the scope later.
3. Review Approach – Prioritise, Categorise, Validate
- Principle: Review the most likely relevant material first, while maintaining a quality control safety net for low-likelihood documents.
- In Practice:
- Run aiR for Review to rank documents by predicted relevance and surface high-priority items.
- Optional: Configure Issues review to separate key content types:
- Personal data of the data subject
- Third-party personal data
- Legal privilege/legal advice
- Confidential business information
- HR/employment issues
- Review a sample of “Not Relevant” documents to validate AI predictions before scaling.
- Use issue tags such as “QC checkpoints,” e.g., requiring a second review for any document tagged as containing high-risk information.
4. Redaction
- Principle: Redaction should be precise, protecting sensitive information without unnecessarily withholding content.
- In Practice:
- Apply RelativityOne’s mass redaction to automatically detect and redact PII, financial data, and custom patterns.
- Optional: Utilize aiR for Review to identify documents containing third-party or confidential commercial information.
- Isolate redacted vs unredacted sets for final sampling and QC before disclosure.
5. Governance & Repeatability – Build for the Next DSAR
- Principle: Use every DSAR to make the next one easier.
- In Practice:
- Maintain a full RelativityOne audit trail of collection choices, search terms, and review decisions to refer to when reviewing future DSARs.
- Save workspace templates with coding panels, searches, and AI configurations to serve as a proven framework for future DSARs.
- Use learnings from scoping conversations to anticipate common requester angles and prepare standard keyword/date negotiation strategies to save time.
Case Study: Beating the Clock with aiR for Review
One recent project illustrates how these principles and tools come together. Our team received a DSAR from a disgruntled ex-employee who had been with the client company for six years. Their initial request—to obtain every document containing their name or initials—would have returned an overwhelming volume of irrelevant material, especially as their initials were also a common word.
Through careful scoping discussions, we refined the search to a six-month period and added targeted keywords focused on performance, grievances, or allegations. This refinement not only reduced the data set to something manageable, but also gave us insight into what the requester was truly seeking, which helped us prepare for possible follow-up queries.
After running deduplication and standard analytics such as email threading in RelativityOne, the data set was reduced to roughly 1,500 documents. Running aiR for Review allowed us to prioritise 685 documents predicted to be relevant with a 98 percent or higher accuracy rate. The case team confirmed they agreed with aiR for Review’s decisions and rationales through QCing a targeted sample of “Not Relevant” documents, giving the team increased confidence in the AI’s predictions. The entire process, from receipt to production, was completed within 48 hours—well within the one-month statutory deadline, despite starting with only a week left.
The client was impressed by both the turnaround time and the low cost. The workflow also provided a blueprint for the future: we were able to create fixed-fee estimates for DSARs based on data volume and reuse templates, coding panels, and analytics in subsequent matters. Within a month, the same client sent five more DSARs our way, each handled even faster than the first.
The Takeaway
DSARs are no longer simple, low-risk compliance tasks: they are high-stakes, time-sensitive matters that can carry significant reputational and financial consequences. By combining strategic workflow design with the capabilities of RelativityOne and aiR for Review, legal teams can manage them with confidence.
The result is a process that is proportionate, defensible, and repeatable—one that meets deadlines, controls costs, and delivers the level of quality that regulators and clients now expect.
Graphics for this article were created by Caroline Patterson.
Recommended for you
