From Inbox to Disclosure: How aiR is Reshaping DSAR Compliance

By Gravity Stack Staff

Data Subject Access Requests (DSARs) have always been a fundamental part of privacy rights,  giving individuals the ability to see and understand the personal data an organisation holds on  them. But in the last few years, the nature of these requests has changed dramatically. And now,  they’re more demanding than ever. 

The volumes of requests are climbing as public awareness grows, and new regulations expand  the definition of personal data to include not only what’s collected, but also how it’s used,  shared, and even applied in automated decision-making. The result is a much more complex,  labour-intensive process. 

This complexity is compounded by heightened regulatory scrutiny. In the UK, the Information  Commissioner’s Office (ICO) has taken action against organisations that miss deadlines or  submit incomplete responses. A single delay or an overly broad interpretation of the request can  trigger enforcement proceedings, tribunal claims, or compensation payouts. With timelines tight (typically one month unless an extension is justified), compliance teams have little room for  error. 

A further challenge is the rise of what some call “weaponised” DSARs. Disgruntled former  employees and litigants increasingly use them as a pressure tactic or fishing expedition, looking  for material to support claims or to put the organisation on the defensive. While a customer  DSAR may return a manageable number of documents, an employee request, especially from  someone who’s been with the company for years, can generate thousands of potentially  responsive files, many of which are irrelevant. This surge in volume and complexity makes  manual, spreadsheet-driven approaches untenable.

How Technology, and AI in Particular, Changes the Game 

With this increased complexity, DSAR reviews need to be tackled much like litigation discovery:  sifting through large data sets from multiple sources, under tight deadlines, with a need for  accuracy and defensibility. That’s why we’ve found RelativityOne and Relativity aiR for Review to be such a strong fit. Its search, review, redaction, and audit capabilities are purpose-built for  these challenges, allowing teams to manage DSARs with the same discipline they apply to e discovery. Generative AI brings even greater efficiency to the process.  

Before, reviewers were forced to rely on broad keyword searches, which flag every document in  which a data subject appears without understanding the context of the document. Now, aiR for  Review can distinguish the documents where data subjects are actually meaningfully discussed—filtering out irrelevant “CC’d” mentions and cutting straight to the relevant content.  It goes beyond pattern recognition to identify sensitive information using the surrounding  narrative, and because every decision is supported with rationales and citations, the AI-assisted  workflow remains transparent and defensible. 

Perhaps most importantly, aiR for Review helps contain costs. By triaging irrelevant material  before human review begins, it keeps DSAR fulfilment proportionate to the request, even when  the initial scope is broad. This not only improves turnaround times; it prevents the request from  becoming a financial burden. 

Best Practices for a DSAR from Intake to Disclosure 

An effective DSAR workflow is about more than just processing data quickly – it’s about  controlling scope, ensuring proportionality, and creating a defensible, repeatable process.  

RelativityOne and aiR for Review provide the tools, but strategy and process discipline are  what enables the workflow to be truly efficient. 

1. Collection – Targeted, Defensible Data Gathering 

• Principle: Collect only what’s necessary to meet the request, while preserving the  integrity of the data. Overcollection increases review time and costs without adding  value.
• In Practice: Identify custodians and data sources early, then use Collect in RelativityOne to defensibly pull data directly from platforms like Microsoft 365, Google Workspace, and Slack. 
• Apply date ranges, custodian lists, and targeted file type filters to keep collections  focused. Record these parameters and document steps taken for defensibility. 

2. Scoping – The Most Strategic Step in DSAR Success 

• Principle: Scoping isn’t just about limiting the data set. It’s about engaging with the  requester to shape the request into something reasonable, proportionate, and more  revealing. Pushing back with the right questions often uncovers the requester’s true  focus – whether that’s performance reviews, grievances, or a specific incident – which  allows you to anticipate follow-up queries and plan ahead. By effectively using additional  features of RelativityOne prior to aiR for Review, you can refine your data and determine  the appropriate population to analyse with AI. 
• In Practice: 
  • Use RelativityOne’s saved searches and dtSearch to test different keyword/date  combinations before review starts. 
  • Generate search term reports to show hit counts and demonstrate why certain  refinements will return more relevant results. 
  • Where possible, suggest targeted keyword groups tied to events or topics (e.g.,  “project X,” “grievance,” “incident date”), and agree on narrower date ranges. o Document all communications and decisions to help you justify the scope later. 

3. Review Approach – Prioritise, Categorise, Validate 

• Principle: Review the most likely relevant material first, while maintaining a quality  control safety net for low-likelihood documents. 
• In Practice: 
  • Run aiR for Review to rank documents by predicted relevance and surface high priority items. 
  • Optional: Configure Issues review to separate key content types: 
    • Personal data of the data subject 
    • Third-party personal data 
    • Legal privilege/legal advice 
    • Confidential business information 
    • HR/employment issues 
• Review a sample of “Not Relevant” documents to validate AI predictions before  scaling. 
• Use issue tags such as “QC checkpoints,” e.g., requiring a second review for any  document tagged as containing high-risk information.

4. Redaction  

• Principle: Redaction should be precise, protecting sensitive information without  unnecessarily withholding content. 
• In Practice: 
  • Apply RelativityOne’s mass redaction to automatically detect and redact PII,  financial data, and custom patterns. 
  • Optional: Utilize aiR for Review to identify documents containing third-party or  confidential commercial information. 
  • Isolate redacted vs unredacted sets for final sampling and QC before disclosure.

5. Governance & Repeatability – Build for the Next DSAR 

• Principle: Use every DSAR to make the next one easier. 
• In Practice: 
  • Maintain a full RelativityOne audit trail of collection choices, search terms, and  review decisions to refer to when reviewing future DSARs. 
  • Save workspace templates with coding panels, searches, and AI configurations to serve as a proven framework for future DSARs. 
  • Use learnings from scoping conversations to anticipate common requester  angles and prepare standard keyword/date negotiation strategies to save time. 

Case Study: Beating the Clock with aiR for Review 

One recent project illustrates how these principles and tools come together. Our team received a  DSAR from a disgruntled ex-employee who had been with the client company for six years.  Their initial request—to obtain every document containing their name or initials—would have  returned an overwhelming volume of irrelevant material, especially as their initials were also a  common word. 

Through careful scoping discussions, we refined the search to a six-month period and added  targeted keywords focused on performance, grievances, or allegations. This refinement not only  reduced the data set to something manageable, but also gave us insight into what the requester  was truly seeking, which helped us prepare for possible follow-up queries. 

After running deduplication and standard analytics such as email threading in RelativityOne, the  data set was reduced from 1,498 documents to roughly 1,011 documents. Running aiR for  Review allowed us to prioritise 685 documents predicted to be relevant with a 98 percent or  higher accuracy rate. The case team confirmed they agreed with aiR for Review’s decisions and  rationales through QCing a targeted sample of “Not Relevant” documents, giving the team  increased confidence in the AI’s predictions. The entire process, from receipt to production, was 

completed within 48 hours – well within the one-month statutory deadline, despite starting with  only a week left. 

The client was impressed by both the turnaround time and the low cost. The workflow also  provided a blueprint for the future: we were able to create fixed-fee estimates for DSARs based  on data volume and reuse templates, coding panels, and analytics in subsequent matters. Within a  month, the same client sent five more DSARs our way, each handled even faster than the first. 

The Takeaway 

DSARs are no longer simple, low-risk compliance tasks: they are high-stakes, time-sensitive  matters that can carry significant reputational and financial consequences. By combining  strategic workflow design with the capabilities of RelativityOne and aiR for Review, legal teams  can manage them with confidence.  

The result is a process that is proportionate, defensible, and repeatable. One that meets deadlines,  controls costs, and delivers the level of quality that regulators and clients now expect.v

👉 If your department is exploring AI, get in touch.

—

Follow Gravity Stack on LinkedIn for updates from our AI Lab, client stories, and legal innovation insights.