A quiet operational problem

Data subject access requests are a quiet operational problem. The first one is fine — a person asks what data you have on them, and someone manually checks the systems they can think of. By the tenth one, the team is overwhelmed, and by the hundredth, the program either breaks or hardens into something workable.

The breaking point

Most companies underestimate when DSARs become unmanageable. The trigger isn't request volume in absolute terms — it's the ratio of requests to the team capacity that handles them, and the systems they have to search. Five requests a month against thirty systems can be harder than fifty requests a month against five systems, because the per-request investigation time dominates.

The teams that hit the wall describe the same experience: legal forwarding requests to security, security pinging system owners, system owners running ad-hoc queries, results getting compiled in spreadsheets, and the deadline approaching faster than the work moves. By the time the response goes out, the team has lost a week and the request has cost more than anyone budgeted.

Three patterns that work

The customers we work with who handle DSARs at scale share a few patterns. First, they have a real inventory of where personal data lives — not a spreadsheet, but a continuously updated map across systems that doesn't require a system owner to remember whether their database stores email addresses.

Second, they have automation for the common cases. Lookup-by-identifier, deletion confirmation, export packaging — these don't require an analyst running queries by hand if the data map is accurate. The analyst's time goes to the edge cases.

Third, they've decided in advance what counts as reasonable effort and what's out of scope. Internal logs that mention a user's email in a stack trace? Backup tapes from three years ago? Test datasets in developer environments? The answers vary by jurisdiction and by company appetite, but having pre-decided answers is the difference between a workable program and an open-ended one.

The conversation most teams skip

The third point is the one most teams miss. Privacy regulations don't require omniscience, but the legal and security teams need to align on what good-faith effort looks like. Without that alignment, every request becomes an open-ended investigation, and the program never scales — because there's no end-state that the team can confidently call complete.