ProvePrivacy Logo | Blue Green

Back to home
Contact us
ProvePrivacy | PP Logo
ProvePrivacy | PP Logo

Back to home

Artificial Intelligence and the Impact on Data Subjects Rights

Understanding Potential Data Protection Risks

Do you remember in the good old days when Data Subject Access Requests (DSAR) were often a polite, manually drafted letter? Now, however, Artificial Intelligence and the Impact on Data Subjects Rights is a topic that is increasingly relevant, changing how these requests are managed.

With the rise of Generative AI (GenAI) like ChatGPT and Gemini, individuals are now equipped with “digital paralegals” that can draft sophisticated, legally-coded requests in seconds.

Is this leading to a new wave of educated data subjects, or is there still ignorance?

Is this a problem for data protection professionals or is it an opportunity?

In this blog we look at how Gen AI is changing the data protection landscape by empowering individuals to reclaim their privacy rights whilst creating a unique set of challenges for the professionals tasked with responding.

The Power Shift: How AI Empowers the Data Subject

For the average person, data protection knowledge came from a place of ignorance, they might recognise that they could raise a DSAR, but they probably didn’t know about other rights.

Now, tools like ChatGPT and Gemini prove to educate data subjects, they remove some of that ignorance by providing information which might allow them to make more educated choices.

There are several immediate benefits to data subjects:

  • Professional Drafting: Users can simply prompt an AI: “Draft a DSAR to my former employer focusing on internal Slack messages and performance reviews.” The result is a professional, authoritative request that looks like it came from a law firm.
  • Knowledge on Demand: AI explains complex rights—such as the right to rectification or the right to be forgotten—in plain English, making people more likely to exercise them.
  • Low Friction: The “effort barrier” has vanished. What used to take an hour of research now takes thirty seconds, leading to a massive spike in request volumes.
A Rising Trend

The Information Commissioner’s Office (ICO) reported a significant trend: complaints related to data protection rose from roughly 39,700 in 2023/24 to over 42,800 in 2024/25. Forecasts for 2026 suggest this could climb as high as 55,000 as AI-driven requests continue to flood the system[i].

One of ProvePrivacy’s clients can evidence a rise of 300% between 2024 and 2025 and is now receiving requests under ‘right to be forgotten’ and ‘right to object’, which they had never seen previously.

Where Data Subjects Get It Wrong

While AI is a powerful drafting tool, it isn’t a qualified lawyer. Data subjects often rely on AI-generated text without realizing its limitations, leading to “noisy” or unsuccessful requests:

  • Ignoring Exemptions: AI might draft requests based on weak prompts, so the data subject may not be aware that a company can legally withhold data under exemptions like legal professional privilege or management forecasting.
  • Rights vs. Reality: A data subject might prompt an AI to demand the “deletion of all records,” but the AI may fail to explain that statutory retention periods (like tax laws) often override the “Right to Erasure.”
  • Poor Framing of Goals: If prompted poorly, AI might include every possible category of data. This might leads to the request being flagged as “manifestly unfounded or excessive,” ironically slowing down the process for the individual and at the same time yielding an excess of information, which isn’t required or helpful.
Advice for Data Protection Professionals

If you are a DPO or a privacy lead, the “influx” isn’t coming—it’s already here. Here is how to manage the AI-powered surge:

  • Educate on Exemptions: Your response templates should clearly explain why certain data was withheld.  Educate the data subject, don’t just quote the regulation but explain clearly what it means, what has been exempted and why.
  • Protect the Data of Others: Make sure that you always redact the personal data of others (exemption: Schedule 2, Part 3, Paragraph 16).  It isn’t always possible or reasonable to obtain the consent of every other data subject noted in the discovery file and disclosure otherwise would result in a data breach.
  • Reasonableness is Your Friend: Under the latest UK guidance, you are only required to conduct a “reasonable and proportionate” search. If an AI-drafted request asks for every email ever sent in a ten-year period, you are entitled to ask the subject to narrow their scope.
  • Take Your Time:   You may need to take advice on what is disclosable of not or have vast volumes of data to redact.  Don’t be afraid to take your time, you have 30 days to provide your response and in some circumstances can extend this by a further 60 days, so long as you inform the data subject.
  • Evidence Compliance: For every request, make sure that you can evidence how you responded, information such as when it was received, what was requested, what was exempted.  When and how you responded are essential for ensuring accountability is evidenced.
  • Inform Upwards: The increase is requests is here now, but we suspect your team is still the same size as last year?  Make sure that you can create informational and actionable updates for your senior team, this will support their decision to increase your support and resources.
 Problem or Opportunity?

The application of data protection regulation has suffered in the UK, the regulator has been granted powers of enforcement, but is rarely successful in implementing them, leading to an environment where organisations might not take their obligations seriously.

Enforcement is beginning to come from the AI informed data subject, through increased requests.

For those data protection professionals who are freelance, this provides an opportunity for additional support to their clients, it provides an opportunity to increase training, implement procedure and provide support.

For those data protection professionals in a permanent role, you are provided with an opportunity to raise awareness within your organisation, gain support from stakeholders and if necessary develop your resources.

One thing is clear, the days of standing still in the data protection space is coming to an end. Now is the time to use this influx as an opportunity to act.

Conclusion

The increase in AI driven requests is a double-edged sword. It promotes transparency and holds organisation accountable, but it also creates a baseline of administrative noise that can bury legitimate concerns.

For privacy professionals, the goal in 2026 is no longer just “compliance”—it needs to be ‘evidencing compliance’ to improve the data protection landscape.

For more information about how ProvePrivacy can help you to manage data subjects rights and provide the evidence you need to influence your senior team get in touch or book a demonstration: https://meet.proveprivacy.com/#/demo

[i] Source: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/08/ico-consultation-on-draft-changes-to-how-we-handle-data-protection-complaints/#:~:text=The%20ever%2Dincreasing%20demand%20for,of%20handling%20data%20protection%20complaints.

Picture of Mark Roebuck

Mark Roebuck

Manage personal data and privacy risks

Book a demo

You might also like

Scroll to Top

Contact us

If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

Prefer to schedule a 15 minute call? Schedule call today >>

See our Privacy Statement for more details.
Contact us