As workplace data subject access requests (DSARs) become an increasingly tactical tool in employment disputes, we turn to Sofia Khaira, a renowned expert in data protection and privacy law with a deep focus on HR challenges. With years of experience guiding organizations through the complexities of personal data transparency rights, Sofia has witnessed firsthand the evolving landscape of DSARs, especially with the rise of generative AI and changing legal frameworks. In this interview, we explore how DSARs are being used strategically by employees, the impact of technology on these requests, and practical strategies for HR professionals to manage them effectively while balancing their day-to-day responsibilities.
Can you explain what a data subject access request, or DSAR, is and why it’s become such a significant issue in workplace disputes recently?
A DSAR is a formal request made by an individual, often an employee, to access the personal data an organization holds about them. It’s rooted in data protection laws like the GDPR, designed to promote transparency. But lately, we’ve seen a shift in how they’re used in the workplace. Employees are increasingly deploying DSARs as a tactic—whether to fish for information, stall processes, or pressure employers into settling disputes, even when the underlying claims might lack merit. This trend has grown because awareness of data rights has skyrocketed, and tools like generative AI make crafting these requests easier and more sophisticated.
How have you noticed employees using DSARs strategically, and can you share an example of a situation where it seemed like a fishing expedition or delay tactic?
I’ve seen DSARs used to gain leverage in disputes, often when an employee suspects there’s incriminating or useful information in emails or internal communications. For instance, I worked with a company where an employee, facing a performance review, submitted a DSAR asking for all communications mentioning their name over a five-year period. It was clear they were hoping to uncover something—maybe a stray comment or inconsistency—to challenge the review process. The request wasn’t focused; it was a broad sweep, creating a huge burden for the HR team and delaying the review while they sifted through mountains of data.
With generative AI playing a bigger role, how is it changing the way employees craft DSARs and the volume of requests employers face?
Generative AI has been a game-changer. Employees can now use these tools to draft detailed, seemingly professional DSARs without needing legal expertise. AI can generate complex language, suggest specific data categories, or even propose follow-up arguments if the employer pushes back. This has led to a surge in both the number and apparent sophistication of requests. What’s more, after events like layoffs or data breaches, we’re seeing coordinated waves of DSARs, likely because AI makes it easy to replicate templates across groups of employees. It’s a double-edged sword—more access for individuals, but a real headache for employers.
What kind of challenges does this AI-driven spike in DSARs create for HR professionals who are already juggling so many responsibilities?
HR teams are often stretched thin, and an influx of DSARs can be overwhelming. Each request demands time-intensive searches across emails, chats, and databases, often under tight legal deadlines. When AI ramps up the volume or complexity, it disrupts regular workflows—think onboarding, payroll, or employee relations. There’s also the stress of compliance; getting a DSAR wrong can lead to complaints to regulators or escalate disputes. HR staff end up diverting focus from strategic priorities to firefighting these requests, which can harm morale and productivity across the department.
You’ve emphasized preparation as a key factor. What practical steps can HR teams take to map out data sources before a DSAR even arrives?
Preparation is everything. Start by creating a clear inventory of where personal data lives—think HR systems, email servers, messaging apps, and even physical files. Document who has access to what and how data flows through the organization. Conduct regular audits to spot gaps or outdated records. It’s also smart to run mock DSAR exercises to test how quickly and accurately you can pull data. This kind of groundwork means you’re not scrambling when a request lands, and it helps you respond confidently within legal timeframes.
How crucial is it for companies to have the right technology subscriptions for tools like Teams or Slack to retrieve data easily, and what are the risks if they don’t?
It’s incredibly important. Regulators expect employers to use technology that supports data access rights, so having subscriptions for tools like Teams or Slack that allow data retrieval is non-negotiable. Without the right access levels, you might not be able to search or export chats and files efficiently, which can delay responses or lead to incomplete data sets. The risks are serious—failing to provide all relevant data can result in regulatory penalties or damage your credibility in a dispute. Plus, it just makes the process more painful and time-consuming for your team.
When a DSAR comes in, especially amid tension with an employee, how should HR set a professional tone from the start in their response?
The first step is to acknowledge the DSAR promptly and neutrally. Send a simple confirmation that you’ve received the request and outline the next steps, like verifying their identity or clarifying scope if needed. Avoid any hint of frustration or defensiveness, even if the underlying dispute is heated. This sets a tone of respect for their rights and shows you’re handling the process seriously. It’s about building trust early on, which can prevent unnecessary escalation and demonstrate to regulators that you’re acting in good faith.
Why is it so important to handle a DSAR separately from other workplace issues like grievances or disciplinary actions?
Mixing a DSAR with other matters can muddy the waters and create legal risks. A DSAR is about exercising a fundamental right to data access, not about resolving a grievance or disciplinary issue. Treating it separately ensures you’re focused on compliance with data protection laws, not swayed by unrelated emotions or agendas. It also helps maintain clarity in communications—if you blend issues, you might accidentally disclose irrelevant information or appear biased. Keeping things distinct protects both the process and the organization’s integrity.
Many DSARs ask for massive amounts of data, like ‘everything’ about an employee. How can HR push back on overly broad requests without outright refusing them?
The key is constructive engagement. Instead of saying no, open a dialogue to narrow the scope. Ask clarifying questions—What specific time period are you interested in? Are you looking for particular types of data, like performance reviews or emails? Suggest realistic timelines for delivery and explain why a blanket request might be disproportionate. This shows you’re cooperative while steering the request to something manageable. Under laws like the UK’s recent Data (Use and Access) Act, you’re only required to conduct reasonable searches, so use that framework to justify limits while staying collaborative.
Can you elaborate on what ‘reasonable and proportionate searches’ mean under the new UK data protection laws, and how this helps employers manage DSARs?
‘Reasonable and proportionate searches’ means employers don’t have to turn over every stone for a DSAR. Under the new UK Data (Use and Access) Act, you’re expected to make a good-faith effort based on the request’s scope and context, balancing the employee’s rights with the burden on the organization. For example, searching years of irrelevant data might not be justified for a narrow issue. This concept helps employers by setting boundaries—it allows you to focus resources on what’s relevant and defend your approach if challenged, as long as you can show your decision-making process was fair.
Why is documenting the steps taken during a DSAR response so critical, and how can technology assist with that?
Documentation is your safety net. It proves you’ve acted transparently and followed legal obligations if a regulator or employee questions your response. Record what searches you conducted, why you included or excluded certain data, and how you communicated timelines. This builds a clear trail of accountability. Technology, like document review platforms, can automate much of this—tracking search parameters, logging decisions, and storing correspondence. It saves time and ensures consistency, so you’re not piecing together notes after the fact.
What’s your advice for our readers on navigating the complexities of DSARs in today’s workplace environment?
My biggest piece of advice is to proactive rather than reactive. Invest time now in understanding where your data lives and how to access it. Train your HR team on DSAR basics and build a response playbook that includes templates for communication and steps for scoping requests. Don’t underestimate the power of technology—use tools to streamline searches and record-keeping. Finally, always approach each DSAR with respect for the individual’s rights, even if it feels tactical. A balanced, professional response can de-escalate tension and protect your organization from bigger headaches down the line.
