For a long time, a Data Subject Request (DSR) or Data Subject Access Request (DSAR) meant one thing: someone wanted a copy of their personal data, and you went and pulled it out of a database. That request still exists. It is just no longer the one that should keep you up at night.
I spend most of my week inside enterprise privacy programs, and the same pattern keeps showing up. The volume is climbing, the request mix has changed, and the definition of “in scope” has quietly expanded into the messiest corners of the enterprise. If your DSR process was built on the old assumptions, it is already behind. Here is what changed, and why it matters.
Key Takeaways: How Data Subject Requests Have Changed
• Data Subject Requests are becoming more frequent, more complex, and harder to manage manually.
• Deletion, correction, and opt-out requests now create more operational burden than simple access requests.
• Personal data now spans cloud, SaaS, collaboration platforms, AI systems, and unstructured content.
• Employee DSRs often carry higher legal and operational risk than customer requests.
• Privacy teams need automated discovery, fulfillment workflows, and defensible audit trails to keep pace.
More Consumers Are Filing Data Subject Requests
Start with the demand side. Cisco’s 2024 Consumer Privacy Survey found that 36% of consumers had exercised their data subject access rights, up from 28% the year before. That is not a rounding error. That represents a structural shift in how many people will actually file.
It also skews younger, which tells you where this is heading. In that same survey, 46% of consumers aged 25 to 34 had exercised these rights, compared with just 16% of those 65 and older. The cohort most fluent in their privacy rights is the one aging into peak earning and peak data generation. That trend will likely continue.
Deletion Requests Are Becoming the New Default
Access used to be the request you planned around. Now it is eliminação. Erasure and Do Not Sell requests have overtaken simple access, and across most programs deletion is now the request type driving the workload.
That shift matters more than the headline. A data access request is primarily a read operation. A deletion is a write operation across every system that touches the person, plus proof you did it, plus a defensible audit trail. One deletion can fan out across dozens of systems. When your most common request is also your most operationally expensive, manual workflows quickly stop scaling, and they stop scaling fast. Remember that the clock does not care: the traditional one-month statutory deadline leaves you roughly 20 to 22 “working days” to find everything and act on it.
And the deletion request itself is being industrialized. California’s Delete Act created DROP, the Delete Request and Opt-Out Platform, which went live to consumers on January 1, 2026. A California resident now files one verified request and it fans out to more than 500 registered data brokers at once. Starting August 1, 2026, those brokers have to retrieve requests at least every 45 days, complete deletions within 90 days, suppress the data so it does not come back, and pass the request down to their own service providers and contractors. Miss one and the penalty runs $200 per request, per day. Two things make this bigger than a data-broker story. The scope is broader than CCPA, reaching any personal information tied to the consumer, including inferences. And the definition of “data broker” is wide enough that plenty of companies who never thought of themselves as one are now in scope. Centralized, cascading, deadline-driven deletion is no longer theoretical. It is live.
Data Subject Requests Now Extend Beyond Structured Data
This is the one that breaks otherwise mature programs.
The early DSR was a structured-data exercise. Pull the record from the CRM, hand it over, done. That world is gone. Personal data now lives across email, Slack, shared drives, SaaS applications, and generative AI tools. A request you could once answer from one system now requires you to find a person across your entire unstructured estate.
It is not just text anymore either. The UK’s Data Use and Access Act and several US state laws now treat video, audio, and screen recordings as personal data that has to be located, redacted, and disclosed. AI raises the stakes again. A 2025 Court of Justice of the European Union ruling held that when automated decision-making affects someone, you owe them a real explanation of the logic, not a pointer to an algorithm. Your profiling and scoring models are now responsive material.
If you cannot answer one simple question, you have a scope problem: when a deletion request comes in, do you actually know everywhere that person lives, including the file shares and the AI systems? Most organizations cannot, and that gap is exactly where requests stall and fines start.
Employee Data Subject Requests Carry Greater Legal Risk
Here is the dimension that gets buried when people focus on consumers. The highest-risk DSRs are often not coming from your customers. They are coming from your workforce.
EY Law’s survey of data protection leaders found that while customers were the largest single source of DSARs, almost a third came from employees, with requests triggered by HR issues like termination, unfair dismissal claims, and organizational change. The intent behind those is different. The DSAR has become a pre-litigation tool. An employee in a dispute files a broad request, and suddenly you are searching every manager’s mailbox under a one-month clock while employment counsel watches over your shoulder. Litigation disclosure does not get you off the hook, and “this request is burdensome” is not grounds for refusal.
The same survey put hard numbers on the strain: 60% of organizations reported an increase in DSARs year over year, 33% had received bulk requests, and 51% had fielded complaints about how a request was handled. That last one matters, because complaints are what put you in front of a regulator. The UK’s Information Commissioner’s Office alone logged more than 15,000 subject access complaints in a single year.
The look-back window grew, too. Under CPRA, employees can request all retained personal information going back to January 1, 2022, not just the prior 12 months. Deeper history, scattered across fragmented HR systems, on a tight deadline. That is a discovery problem, not a forms problem.
One counterweight worth noting for honesty’s sake: the UK’s Data Use and Access Act codified that employers only need to run a “reasonable and proportionate” search. That provides some relief. It does not help if you have no idea where the data is in the first place.
What Modern Data Subject Request Programs Require
Strip away the individual trends and they all point at the same root cause. The hard part of a DSR is no longer “do we have to respond.” It is “can we find and act on everything, everywhere, fast enough to be defensible.” That is a data problem before it is a privacy-process problem.
This is where the work has to start, and where BigID is built to operate:
Descoberta e classificação com reconhecimento de identidade
Find a person’s data across structured, unstructured, and semi-structured systems, on-prem, cloud, SaaS, and AI data. You cannot fulfill what you cannot see.
Learn more about Discovery and Classification.
Automated Rights Fulfillment
Intake, verify, and execute access, deletion, and opt-out requests with a full audit trail, so the 800th deletion costs you what the first one did.
Learn more about Data Rights Automation.
Centralized Consent and Opt-out Handling
Capture and enforce signals like GPC across channels, instead of discovering during a regulator sweep that you were ignoring them.
Learn more about Consent and Preferences.
Privacy Portals That Actually Execute
A request mechanism that applies the choice across every touchpoint, not a button that routes to nowhere.
Learn more about Privacy Portals.
O Resultado Final
The DSR did not become optional. It became operationally harder. Deletion-heavy, cascading through platforms like DROP, scope sprawling into unstructured and Sistemas de IA, and increasingly weaponized by employees in disputes. Programs built on manual effort and structured-data assumptions are quietly accumulating risk they cannot see.
The teams that handle what is coming will not be the ones working harder. They will be the ones who solved the data problem underneath the request.
Modern DSR Frequently Asked Questions
What is a Data Subject Request (DSR)?
A Data Subject Request (DSR) is a request from an individual to exercise their privacy rights, including access, deletion, correction, or opting out of the use or sale of their personal data.
Why are Data Subject Requests becoming more difficult?
DSRs now extend beyond structured databases into email, collaboration platforms, cloud storage, AI systems, audio, video, and other unstructured data sources, making them much harder to locate and fulfill.
Why are deletion requests more complex than access requests?
Deletion requests require organizations to locate personal data across multiple systems, remove it where appropriate, maintain an audit trail, and often notify downstream service providers, making them far more operationally complex than simply providing access.
How is AI changing Data Subject Requests?
AI systems can store, process, and generate personal information in prompts, outputs, models, and workflows. Organizations must increasingly determine whether AI-related data falls within the scope of a DSR.
How does BigID automate Data Subject Requests?
BigID discovers personal data across structured and unstructured environments, automates DSR fulfillment workflows, enforces deletion and opt-out requests, and provides a complete audit trail for compliance.
Automate Data Subject Requests at Enterprise Scale
Modern DSRs require more than manual workflows. Discover, locate, fulfill, and document access, deletion, correction, and opt-out requests across structured data, unstructured content, cloud, SaaS, and AI environments from a single platform.
