"We got 50 data requests overnight": How smart DSAR processes protect trust – Channel Eye
Imagine the situation – robust and trusted business, good policies and practices in place, rarely receives Data Subject Access Requests and for the couple that do come in each year, they are easily handled.
But when they experienced a data breach, which we all know can happen to anyone, 50 requests came in overnight costing the business a huge amount of time and resource.
A phishing email had reached a new joiner. Believing the message was genuine, they entered login credentials via an email link, which gave attackers access to an email account and, critically, to several shared mailboxes. Among them: a client onboarding mailbox containing application forms and due diligence documentation.
The technical team acted quickly to contain the breach, including the required notification of the affected data subjects. But then came the surge: more than 50 individuals requesting details on their personal data, a Data Subject Access Requests (DSAR). Each query was legitimate, time-bound, and complex.
The existing process was manual and fragmented requiring data from several core business systems, pulling teams away from business-as-usual and creating operational strain.
The result? Weeks of disruption, diverted resources, and heightened regulatory risk simply because the DSAR response process was not ready.
Under GDPR Article 15, and or comparable requirements in ‘Adequate’ jurisdictions, the response stipulations and constraints are pretty much defined from the outset. The clock starts ticking immediately; the response window is one month to respond to DSARs and meeting those deadlines without sacrificing accuracy or security is tough when data sits across several systems and is contained in unstructured data sources such as email accounts and mailboxes. It is well known that the 30-day window can be extended to 90 days, but this is not always applicable, and the extension may not be ‘accepted’ by the relevant Supervisory Authority.
Making a robust DSAR response process part of your information management policies and framework, such as privacy and security, isn’t just about compliance – it’s about control and providing you with a level of assurance to be able to respond accordingly. When requests spike, you need clarity on where data resides, confidence in your response, and the ability & agility to act quickly without diverting critical resources for any longer than necessary.
KPMG’s PII Extractor tool is designed for those moments when a DSAR arrives, whether it is simple or complex, the solution is scalable and supports your response.
It maps data touchpoints across your organisation, consolidates information, and automates the response process. This results in less manual effort, faster turnaround, and assurance that you are meeting applicable regulatory obligations.
KPMG is onboarded as a supplier by means of a scalable retainer dependent on your needs and the complexity of your systems; but this enables us to be ready whenever you need us. At the point of request, we are immediately able to get to work supporting your business in responding accurately and quickly.
For businesses, a resource such as this is invaluable. When regulatory obligations and client expectations converge, having an agile, defensible method for managing DSARs helps maintain trust and minimise disruption, ultimately strengthening your confidence and the trust your clients bestow.
Get ready now – for what might come.
For more information, email [email protected]
Pictured: Bryan Beesley, Advisory Associate Director, KPMG in the Crown Dependencies
The views expressed in this article are those of the author and not Channel Eye.
©2026 Channel Eye Limited.
Login to your account below
Please enter your username or email address to reset your password.
©2026 Channel Eye Limited.
source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.
