DSARs Decoded: Managing Risk, Context, and Proportionality in Data Subject Access Requests
Loading player...
Why DSARs are more than PII searches - and how technology, people, and defensible process must work together.
Data Subject Access Requests (DSARs) can strike fear into even the most mature organisations. Tight deadlines, complex data environments, and significant reputational risk mean these requests are far more than an administrative exercise.
In this episode of The Salient Edge, host David Fisk is joined by Juan Di Luca of Data Analysis Services (DAS) to unpack the practical reality of responding to DSARs in a defensible, proportionate, and risk-aware way.
The conversation explores why DSARs are often weaponised by disaffected or former employees, why organisations must pause before diving into data collection, and why understanding the motivation behind a request can be just as important as identifying the data itself. While technology — including AI and machine learning — plays an important role, Juan explains why DSARs remain a highly contextual, human-led discovery task.
Key topics covered include:
• Why DSARs should be treated as eDiscovery and potential pre-litigation exercises
• The risks of over-disclosure and accidentally releasing third-party PII
• Why spotting PII is easy — but understanding context is not
• Proportionality, defensibility and the limits of automation
• The importance of legal oversight and structured workflows
• How machine learning can support elusion testing and outlier detection
• Managing redactions, exceptions, secure delivery and regulatory deadlines
• How hybrid review models combine technology, workflows and specialist teams to reduce risk and cost
Juan also shares real-world insights into how organisations misjudge DSAR risk — either by under-responding or relying too heavily on automation — and why reputational damage often outweighs regulatory fines.
Key takeaway: DSARs are not about speed alone. They are about balance — between transparency and confidentiality, automation and human judgment, and efficiency and defensibility.
This episode is essential listening for legal teams, corporate investigators, compliance leaders, forensic accountants, HR professionals, and IT stakeholders navigating the growing complexity of data privacy and discovery obligations.
Data Subject Access Requests (DSARs) can strike fear into even the most mature organisations. Tight deadlines, complex data environments, and significant reputational risk mean these requests are far more than an administrative exercise.
In this episode of The Salient Edge, host David Fisk is joined by Juan Di Luca of Data Analysis Services (DAS) to unpack the practical reality of responding to DSARs in a defensible, proportionate, and risk-aware way.
The conversation explores why DSARs are often weaponised by disaffected or former employees, why organisations must pause before diving into data collection, and why understanding the motivation behind a request can be just as important as identifying the data itself. While technology — including AI and machine learning — plays an important role, Juan explains why DSARs remain a highly contextual, human-led discovery task.
Key topics covered include:
• Why DSARs should be treated as eDiscovery and potential pre-litigation exercises
• The risks of over-disclosure and accidentally releasing third-party PII
• Why spotting PII is easy — but understanding context is not
• Proportionality, defensibility and the limits of automation
• The importance of legal oversight and structured workflows
• How machine learning can support elusion testing and outlier detection
• Managing redactions, exceptions, secure delivery and regulatory deadlines
• How hybrid review models combine technology, workflows and specialist teams to reduce risk and cost
Juan also shares real-world insights into how organisations misjudge DSAR risk — either by under-responding or relying too heavily on automation — and why reputational damage often outweighs regulatory fines.
Key takeaway: DSARs are not about speed alone. They are about balance — between transparency and confidentiality, automation and human judgment, and efficiency and defensibility.
This episode is essential listening for legal teams, corporate investigators, compliance leaders, forensic accountants, HR professionals, and IT stakeholders navigating the growing complexity of data privacy and discovery obligations.
Chapters
- 00:01 Introduction to DSAR and their business impact
- 01:40 Juan's background and approach to DSARs
- 02:35 The reality of technology as a solution
- 03:56 The complexity of identifying personal information
- 05:19 The importance of understanding request motivation
- 07:24 Legitimate grounds for challenging DSAR requests
- 10:59 Risk assessment and reputational concerns
- 13:25 DSARs as comlex eDiscovery tasks
- 17:08 Adaptability and unique case considerations
- 19:52 Enhanced review processes and machine learning
- 22:01 Conclusion and future approach
