GDPR for HR | December 2025

Welcome to our final GDPR for HR newsletter of 2025.

In this edition, we focus specifically on data subject access requests (DSARs): looking at current trends around use of AI in this context, what the Data (Use and Access) Act means for complaints relating to DSARs and level of emotional distress as a factor in ICO enforcement actions.

The explosion of AI-generated DSARs

Growing awareness of artificial intelligence, and its ability to generate "ready to send" DSARs with minimal effort or knowledge, has no doubt contributed to the rapid increase in the numbers of DSARs being submitted to employers.

There has also been an increase in the use of AI to formulate complaints about the way in which a DSAR is being handled. The Information Commissioner's Office (ICO) recently hosted a Data Protection Practitioner’s Conference (in October 2025), during which it noted that this is an observable trend.

AI has many benefits, including helping to remove some of the traditional barriers to exercising rights (by essentially providing individuals with details of what the rights are, what to ask for and how to ask for it). However, AI is not perfect and this has resulted in some eye-wateringly extensive DSARs, requesting content that is neither relevant or reasonable.

Indicators that a DSAR has been AI generated include:

• References to irrelevant or outdated legislation.
• A writing style inconsistent with the individual's previous communications (such as excessive use of hyphens and legal jargon).
• Further communication or responses are quick but unusually lengthy, and/or do not reflect or refer to prior correspondence.

Risk management strategy

The risk is that if data controllers do not know how to spot and manage this type of "off-the-shelf" DSAR with an unreasonably extensive scope, they are likely to find themselves in a time-consuming and costly review exercise that can spiral out of control. It is vital to consider strategy from the outset. For example:

• What is the core issue behind the DSAR? With a better understanding of what the data subject is looking for, there may be more scope to narrow the search parameters and eliminate some of the requested categories if they are not relevant.
• Remember the obligation to search has limits. Data controllers are legally obliged to carry out searches to locate relevant information only to the extent it is reasonable and proportionate, so consider at the outset if the DSAR goes beyond this.
• Consider whether to directly address the AI-generated nature of the DSAR with the data subject. At the ICO conference referred to above, the ICO referenced its own practice when responding to unreasonably extensive DSARs that appeared to be AI generated. The data regulator promoted engaging with the data subject early on and directly raising the apparent AI-generated nature of the DSAR. It can be taken as an opportunity to engage in a non-confrontational way, to better understand what specific information they are searching for and, ideally, to agree on more appropriate and focused search parameters. It is not always possible to reach agreement with the data subject, so strategy is important here.

Osborne Clarke's specialist DSAR team has a wealth of experience in handling both straightforward and complex DSARs, as well as in responding to ICO complaints. Watch our short video which highlights how we can help.

Handling DSAR complaints – obligations under the Data (Use and Access) Act

Our summer newsletter gave an overview of what employers should know in respect of the Data (Use and Access) Act, which received royal assent in June 2025. One aspect of the new legislation that is raising questions among employers is the new statutory right for individuals to raise complaints directly with the data controller, if they believe there has been a breach of their data protection rights under UK GDPR (not just in relation to complaints regarding DSARs) and/or Part 3 of the Data Protection Act 2018 (data sharing between competent authorities for law enforcement purposes).

The provisions are anticipated to come into force in summer 2026; the ICO's final guidance is awaited, following publication of a draft for consultation purposes in the autumn.

In particular, employers should adapt existing procedures or implement new ones to ensure the following statutory obligations are met.

• Complaint forms: To be provided with the option for individuals to complete them electronically and by other means.
• Acknowledgement: To be provided within 30 days of receipt of the complaint.
• Appropriate response: Take appropriate steps to respond to the complaint without undue delay, which includes making further enquiries with the individual about the nature of the complaint if appropriate.
• Communicate the outcome: Inform the individual of the outcome of the complaint without undue delay.

In addition, it will be important for organisations to ensure complaints processes reflect the forthcoming ICO guidance which will provide further detail on various aspects, such as record-keeping obligations. In the meantime, it is worth employers reviewing their internal complaints procedures and staff training to understand the extent of changes likely to be necessary to comply with the new requirements.

From a wider perspective, a welcome change for businesses is the requirement for individuals to try to resolve complaints directly with the data controller before complaining to the ICO. In the context of employment-related DSARs, typically made by an aggrieved current or former employee, this mandatory procedural step provides employers with a further opportunity to manage risk and to take steps to defuse the situation. However, the success of the latter will be heavily dependent on the complaints being handled in an efficient and compliant manner.

Even if the individual pursues their complaint with the ICO, when the ICO has sight of a clear reasoned outcome which demonstrates a compliant complaints handling process, this is likely to have a strong influence over the ICO's own conclusions. Conversely, a poorly managed complaint could have the opposite effect. Partnering with a specialist team can really add value to businesses in supporting them with the implementation of compliant processes, training staff and complaint handling.

Limitations of using AI to respond to DSARs

As organisations look to streamline processes and reduce costs, many are turning to AI tools to support with responding to DSARs. AI can provide valuable assistance with applying filters to data sets and identifying relevant documents, including applying keywords, name variations and date ranges.

However, there are significant limitations which mean that AI cannot replace the role of expert human review. AI is, as yet, unable to make the nuanced judgement calls that take into account the wider human and employment context alongside relevant legal obligations, nor can it proactively manage associated risks relating to cost, time, compliance and reputation.

By way of illustration, in the employment context, DSARs often arise following a grievance, disciplinary or whistleblowing claim. In these circumstances, strategic decisions need to be made as part of the DSAR review. Documents relevant to the DSAR typically contain a significant proportion of sensitive information relating to third parties (most commonly other employees), such as opinions contained in investigation meeting notes and complaints about the individual who submitted the DSAR, both of which may have been given by third parties with the expectation of confidentiality.

In this scenario, employers must carry out a balancing exercise, weighing up the rights of access of the data subject against the rights to privacy of the third party individual. Where the rights to privacy of the third party individual are considered to outweigh the rights of access, employers must then consider if consent can be reasonably obtained from the third party to disclose the information and, if not, whether redaction would be sufficient to protect the identity of the third party individuals. Assuming neither of the latter are possible, employers can rely on the third party data exemption to withhold these documents. This demonstrates the various layers of subtle and necessary analysis that are part of a compliant DSAR review process and which are not currently within the capabilities of an automated piece of software.

A non-compliant approach to disclosure of information in response to a DSAR can have significant fall out, such as a data breach (if data is shared which should not have been), complaints to the ICO about incomplete disclosure, and risk to employee relations and business reputation. 

AI has a valuable role to assist rather than replace the role of expert human review, particularly when reviewing documents, which contain mixed personal data or where exemptions may apply. Osborne Clarke's specialist DSAR team takes into account employment law and data protection considerations in every review, which also enables us to proactively advise on strategy and mitigation of risks in light of the wider employment context. Learn more about our DSAR management offering on our GDPR for HR page.

Emotional distress taken into account by ICO for enforcement actions

The ICO recently issued an enforcement notice to South Wales Police (October 2025) for serious delays in handling DSARs. In the notice, the regulator quoted two complaints which expressed distress and detriment resulting from delays in receiving a copy of personal data requested. The regulator considered this as a factor when determining the proportionate regulatory step to compel compliance.

This serves as a reminder for all data controllers that the ICO will take into account the extent to which the non-compliance with data protection obligations has resulted in emotional distress, when determining if and what enforcement action is appropriate.