Simplify DSAR Responses with Time-Saving Technology
See How EverlawAI Helps Surface Crucial Data
Organisations that approach data subject access requests, or DSARs, as routine administrative obligations may be underestimating their growing cost and risk.
Recent legal and regulatory developments are raising the bar for compliance, reshaping organisations’ response to DSARs and other disclosure requirements.
The Data (Use and Access) Act 2025 (DUAA), updated guidance from the Information Commissioner’s Office (ICO), and pivotal case law such as Ashley v HMRC [2025] introduce strict new procedural and transparency requirements. This leads to increased expectations around how organisations scope, search, and justify their responses.
At the same time, DSARs increasingly arise in litigation, employment disputes, regulatory scrutiny, and internal investigations. In employment disputes in particular, DSARs are more frequently used to obtain information before formal claims are filed, making them an early indicator of potential litigation. Expanding data volumes across collaboration platforms and cloud systems are also making it far more difficult to find and review personal data.
Together, these developments mean that DSAR responses increasingly resemble early-stage disclosure, where teams must identify relevant custodians, search across multiple systems, review large volumes of material, and apply statutory exemptions, all within strict regulatory timelines.
For data protection officers, privacy counsel, and compliance leaders, DSARs can no longer be handled simply as a compliance exercise. To protect their organisation, teams need clear scoping, defensible workflows, documented decision-making, and close coordination with other departments. For some teams, that can require a strategic overhaul of internal DSAR procedures.
A Unified Platform Powers Better Team Collaboration
As DSARs grow in volume and legal complexity, it is clear that traditional, often manual, approaches simply cannot scale. But the answer isn’t another niche point solution. Legal and compliance teams need a platform built for cross-functional collaboration, with enough flexibility to handle everything from routine privacy requests to high-stakes investigations and litigation.
Everlaw eliminates potential friction between HR, legal, and IT. Native features, like shared workspaces with role-based access and simple document sharing, remove the traditional handoff delays that stall reviews. When a complex DSAR requires a second, independent pair of eyes because of anticipated employment litigation, in-house teams can invite outside counsel to collaborate within the same secure environment in real time.
Getting the right people into the platform is one key step; the next is giving them the analytical tools to spot what actually matters within the data. Everlaw’s intuitive GenAI features and AI-powered visualisation tools help surface key patterns and relevant data, and reduce manual effort and the time it takes from review to response.
Addressing New DUAA, ICO, and Case Law Guidance with Everlaw
The DUAA codifies a number of practical flexibilities that were previously only available in ICO guidance or common law, the updated ICO guidance (running to 124 pages) tightens transparency rules, whilst recent case law presents some important takeaways.
Some non-exhaustive examples of these highlights, and how Everlaw can help with these, include:
1. The Reasonable and Proportionate Search Standard
Section 78 of the DUAA explicitly codifies that controllers are only required to conduct “reasonable and proportionate” searches. You no longer need to leave no stone unturned.
When justifying why a deeper or broader search is disproportionate, the updated ICO guidance states you may now explicitly rely on the volume of information that needs to be searched, alongside the circumstances of the request, search difficulties, and the fundamental right of access.
The language around burden of proof has also shifted slightly here; you must be able to show and document why a search is disproportionate, rather than merely justifying it.
Ashley v HMRC [2025] EWHC 134 (KB) (“Ashley”) provides additional guidance here; a holistic, potentially organisation-wide search approach is required, notwithstanding internal operational boundaries or departmental silos. If data is held elsewhere in the corporate structure by the same controller, it must be searched, and it does not render the request disproportionate. You are however also legally allowed to factor in the time it takes to review, redact, and apply exemptions to the data, not just the time it takes to run the initial search query, which is significant for organisations responding to more complex DSARs.
How Everlaw can help:
EverlawAI Deep Dive: When calculating if a cross-departmental search is disproportionate, you can use Deep Dive to instantly interrogate organisation-wide datasets using natural language in Everlaw, at scale if necessary. This can help to immediately surface the true volume and complexity of the data, to provide a basis for the metrics you need to help you document your “burden of proof.”
EverlawAI Coding Suggestions: By automating the first-pass review across as many documents as you need to review, Coding Suggestions can help to significantly reduce the time and effort required to review, produce and (where appropriate) exempt data, potentially shifting the bar on what constitutes a “disproportionate effort.” Importantly, if you are not using a tool like Everlaw, you are at risk of falling on the wrong side of the proportionality line if these questions arise from the regulator or courts.
Standard Everlaw functionality: Core Everlaw features, in themselves a revelation to those currently stuck with manual processes, underpin and reduce the cost of more advanced techniques. This business-as-usual functionality includes automatic deduplication, imaging and email threading, metadata filtering (e.g. by date, by parties etc.), blink-speed searching, and pre-configured data visualisations.
2. Intelligibility
The ICO has continued to stress that data must be provided in a concise, transparent, intelligible, and easily accessible form.
In Ashley however, HMRC provided heavily redacted documents where only Mr. Ashley's name or initials were visible, stripping away all surrounding text to protect third-party or non-personal data.
The court ruled that providing heavily redacted, incomprehensible data outputs was a breach of the rules; you must leave enough surrounding non-personal data, or provide a separate contextual summary, so the data subject actually understands what the document is about.
How Everlaw can help:
EverlawAI Document Summaries: Instead of spending hours manually drafting contextual narratives for heavily redacted files, EverlawAI can instantly generate clear, citation-backed summaries of the underlying documents. This provides a ready-made, intelligible summary that can help to satisfy the Ashley requirements without revealing the protected third-party data.
EverlawAI Custom Extractions: You can prompt Everlaw to automatically extract the data subject’s name whenever it appears, in addition to providing surrounding salient information to help you meet intelligibility requirements.
Extraction vs Redaction DSARs: Everlaw supports both extraction-type DSARs, and redaction-type DSARs.
For extraction-type DSARs, data is extracted as opposed to redacted documents being produced. The format of this extraction provides flexibility in respect of your workflow, helping you to satisfy intelligibility requirements.
For redaction-type DSARs, Everlaw provides you with powerful tools out of the box, including batch redactions, and the automated identification (and subsequent batch redaction) of personal data such as email addresses.
Redaction stamps can also help to label exemptions visibly on the face of documents; when paired with batch redactions, they can significantly reduce work effort and provide insight safely and easily to data subjects on the face of the documents they have received. Notes can also be made against redactions, which whilst not visible on the face of the document, can be produced if desired or required.
3. The Scope of Personal Data in Business Disputes
The DUAA maintains the core definition of personal data, but requires controllers to be highly accurate in identifying it before applying exemptions.
In Ashley, HMRC argued that valuations of commercial properties owned by Mr. Ashley were not his personal data because they were data about objects (buildings), not a person. The court disagreed; in summary, it was held that data related to corporate assets, business initiatives, or financial instruments potentially crosses the threshold into personal data whenever it serves to assess the individual’s actions, liabilities, or workplace performance.
How Everlaw can help:
EverlawAI Deep Dive: Reviewers can simply ask Deep Dive to identify documents evaluating the employee’s actions, liabilities or workplace performance. Deep Dive will bypass corporate jargon and instantly surface examples of documents where business data crosses the threshold into personal data, and provide natural language analysis around this. The responses of these questions can then be iterated upon, or further search criteria can be determined if an exhaustive trawl is required.
EverlawAI Custom Extractions: You can configure Everlaw to automatically extract the data subject’s name whenever it appears near specific business concepts (e.g., financial metrics, HR disciplinary terms etc.), helping you to more precisely identify data that has potentially crossed the threshold.
EverlawAI Coding Suggestions: Coding Suggestions can be drafted using natural language to identify documents fitting the criteria you have set out, reducing the lift involved in a traditional document by document review, through an AI-powered batch process.
4. Applying Exemptions
The DUAA entrenches, refines and clarifies various statutory exemptions, including Legal Professional Privilege (“LPP”). When applying exemptions, the courts are taking a strict approach. In Ashley, HMRC tried to apply a broad “tax exemption”, but the ruling requires you to document a highly specific, tangible link to the prejudice or harm that would occur if the data were released, not blanket speculation, which will be struck down by the courts.
How Everlaw can help:
EverlawAI Coding Suggestions: You can establish custom criteria to automatically flag potential LPP or other exemptions requiring redactions or withholding of documents. EverlawAI Coding Suggestions are as flexible as your working methodologies, letting you avoid the unnecessary rigidity of other solutions on the market.
EverlawAI Deep Dive: When you need to justify withholding a class of documents, you can ask Deep Dive to help you summarise the specific risks, privilege or commercial sensitivities contained within those documents. You can then refine that response in a fully editable Storybuilder Draft. This helps to give your team the document-specific evidence required to demonstrate the strict approach required. It can also help to highlight and facilitate your rectification of any issues identified in your approach, in advance of sending out the documents to the data subject.
5. Format Demands and Repetitive Requests
The ICO clarifies that providing data via a secure portal in a commonly used electronic format satisfies your obligations in most instances. The requirement may also be satisfied by giving the data subject remote access to their information on a secure system. However, they will also need to be able to download a copy of the requested information in a format that is accessible to them.
Linked to these concepts is the scenario where a data subject downloads their data but repeatedly demands the same information in different formats. Under the guidance, you may now formally treat these subsequent requests as “manifestly unfounded or excessive”, allowing you to potentially refuse them, or charge a reasonable administrative fee.
How Everlaw can help:
EverlawAI Deep Dive: If requests are similar but not identical in terms of search criteria and scope, you can use Deep Dive to help you to verify that the repeated request would not indeed result in additional documents needing to be provided. Conversely, if you do conclude that additional disclosures are required, Deep Dive can help you to minimise the impact of this task.
Fully Integrated Productions: Everlaw’s easy to use, wizard-driven production tools allow you to instantly package, format, and share data via secure, trackable links in standard electronic formats. This creates an audit trail of exactly what was provided, in what format, and when it was accessed, helping to give you the documented proof necessary.
Partial Projects with Granular Access: It is possible to also give secure, locked-down access to the curated set of data subject data in a partial project, whilst granular access protects your organisation’s DSAR exemptions (including third party data and LPP).
6. “Stopping the Clock”
The DUAA formalises the ability to pause the one-month statutory deadline when requesting necessary clarification or verifying identity, with the ICO guidance removing the previous condition that you must process a large amount of information about the requester to ask for clarification.
You can now pause the clock on any request where clarification is genuinely required to provide an effective response. This must however be done in a timely manner, with ID and clarification requested as soon as possible, not at the end of the statutory period. It must also not be a routine stalling tactic; you must be able to document why the specific request was unclear and why you genuinely needed more information to proceed.
How Everlaw can help:
EverlawAI Deep Dive: When a vaguely worded DSAR request arrives, you can use Deep Dive to rapidly sample the raw data. It can help you to investigate, for example, the different contexts in which a data subject’s name appears. This can help your team to rapidly surface supporting evidence to revert to the requester with, to help justify why clarification is genuinely needed to proceed, and provide you with the factors to help justify pausing the clock.
Data Visualizer & Clustering: Everlaw’s visual dashboards can help to instantly map out a data subject’s footprint. Documenting that their name, for example, spans multiple departments and years helps to provide quantifiable proof to justify why a broadly worded request requires narrowing down before work can begin.
Search Term Report (“STR”): Running rapid STRs on the requester’s requests and/or their known identifiers helps to rapidly quantify the volume of potential hits. Reverting to a requester with concrete metrics is a highly effective way to help document the scale of a vague request.
Integrated AI for Workflows That Accelerate Review
As set out above, EverlawAI is fundamentally changing how investigatory, regulatory, and legal work is done. But too many platforms stitch hastily fabricated AI add-ons to their basic tool set rather than create a genuine AI-enabled solution.
Rather than fall into that legacy mindset, Everlaw applies a more holistic perspective that integrates AI and advanced analytics across the entire platform. This allows organisations to tailor their approach, with some adopting an AI-first approach while giving those who are just starting their AI journey to keep more traditional workflows that are powered by automations and optional AI. The result for legal and compliance teams is a unified search, review, and redaction experience.
This makes everything from DSAR scoping to prioritisation and extraction simpler and more efficient. Teams working on DSARs can capture every decision (for example, why a document was tagged relevant, why a redaction was applied, or why certain data was excluded) automatically using audit trails, which provide defensible answers, not just confidence scores.
A structured approach helps ensure that an organisation can justify which data it included if challenged in proceedings. It also puts your team at an advantage should a routine DSAR request evolve into a dispute.
Handling DSARs and Other Matters in a Single Platform
Many organisations opt to, maybe inadvertently, treat DSAR requests like a one-off task relying on traditional approaches, rather than part of a larger organisational strategy. This creates unnecessary risk.
When DSAR workflows are managed in disparate tools, teams run the risk that a search is incomplete or that siloed teams are duplicating efforts. Limited visibility across related matters can create compliance exposure while also making it harder to identify when a request is a precursor to litigation.
In a typical people, process and technology scenario, technical efficiency for organisations of any size comes from a unified platform. For larger corporations, and the external advisors that assist them, by managing DSARs in the same environment as legal holds, investigations, and litigation matters, teams eliminate the friction of navigating between disconnected systems (known as the “toggle tax”). It helps keep everyone on the same page and collaborating with greater transparency and timeliness.
With Everlaw’s unified environment for investigation, regulatory, and litigation workflows, teams aren’t just fulfilling a request, they’re building a strategic response and reducing risk.
