Data Subject Access Requests: Using eDiscovery tools to ensure compliance and save costs

This paper aims to offer practical guidance in that regard and will show how organisations can minimise any cost and disruption caused to their business by DSARs.

Among the remarkable developments of our time is the huge increase in data volumes. It is estimated that by the year 2020, about 1.7 megabytes of new information will be created every second for every person on earth. Other statistics are equally astounding. Businesses of all sizes will require some kind of data analysis system in the not-too-distant future.

Meanwhile, in the legal realm, Data Subject Access Requests (DSARs) are becoming more common. Individuals are now more aware of their right to request personal data and will robustly exercise that right, whether out of concern for their own privacy or as a means of seeking an edge in litigation. Indeed, it is often the official policy of data protection authorities to raise the public’s awareness of these rights.

Given these developments, it is worthwhile to understand how eDiscovery tools can be used to deal with DSARs, particularly in cases involving “big data”.


The DSAR regime is intended to provide transparency to individuals in respect of their “personal data”  held by an organisation. Often the organisation is the individual’s current or former employer but it can also be, for example, a retailer or an academic institution.

Under the General Data Protection Regulation (GDPR) which came into force on 25 May 2018, data subjects are provided certain rights in relation to their personal data held by an organisation.

Article 15 of the GDPR states that a data subject has the right to confirmation from a data controller whether or not their data has been processed and if so: …