[Podcast] HaystackID® in the EDRM Illumination Zone: Ryan Costello
Editor’s Note: AI governance is often discussed as a future compliance challenge, but as Ryan Costello explained during the recent EDRM Illumination Zone podcast, it begins with understanding the data organizations already have today. The podcast and corresponding article explore why information governance, data privacy, data subject access request (DSAR) readiness, and AI governance are interconnected rather than separate initiatives, and why that distinction matters for legal and compliance teams. As organizations accelerate AI adoption while handling privacy regulations, building a clear understanding of enterprise data has become a business necessity. HaystackID® AI Governance Services help organizations establish defensible governance frameworks, assess AI readiness, and implement policies that align innovation with regulatory expectations. Listen to the episode and read the article to get practical guidance to deploy AI responsibly while reducing legal, operational, and regulatory risk.
AI Governance Starts with Data You Already Have
By HaystackID Staff
A general counsel gets off a call with the board. The directive is simple: get AI deployed this quarter. The budget exists, the vendor is selected, an AI tool is ready to roll out across the organization, and deployment begins in 60 days. Everything moves forward until someone from IT raises a question no one had considered, including in the project plan—what data will this tool actually be able to access?
The rollout stalls. Legal wants to know whether sensitive HR records fall within scope. IT cannot confirm what the retention policies say or whether anyone has followed them. And in the background, three data subject access requests (DSARs) from former employees arrived six weeks ago, one of which is due in four days and covers two years of internal correspondence across Teams and email. In Costello’s experience, this type of situation is more common than most organizations realize.
Ryan Costello, Executive Vice President of Global Advisory and Client Engagement at HaystackID, regularly encounters this type of collision among clients on both sides of the Atlantic. A US-qualified attorney holding three IAPP certifications across US, European, and management privacy frameworks, Costello has spent 20 years at the intersection of eDiscovery, regulatory compliance, and cross-border data management. In the latest episode of the EDRM Illumination Zone podcast, he laid out what organizations are grappling with as AI deployment pressure intersects with data privacy obligations, information governance gaps, and a DSAR backlog that keeps growing. The throughline across all of it is that organizations cannot govern what they do not yet understand.
Former Employees Are Driving Your DSAR Backlog
For legal and compliance teams, the instinct around DSARs has often been to treat them as a customer service function. Someone wants their file, which might mean shipping history, account details, or purchase records, something straightforward to pull and send. What Costello makes clear, though, is that the more operationally demanding requests are much more complex.
Costello noted that the majority of DSARs since GDPR’s inception have been from former employees.
That number reorients the operational problem. A former employee’s DSAR isn‘t a request to tidy the customer file. It is a request for correspondence, internal communications, HR documentation, performance reviews—often years’ worth of data spread across email systems, Microsoft Teams, Slack, and whatever collaboration tools the organization happened to be using at the time. Finding two people discussing a third person across those platforms is significantly harder than pulling an account record. And these requests carry tight deadlines—generally 30 to 90 days, depending on jurisdiction.
The volume compounds the difficulty. Costello cited a 60% year-over-year growth in the total number of access requests organizations receive. Companies that have undergone reductions in force face an especially sharp version of this problem: multiple employees leave simultaneously, and multiple DSARs follow shortly after, arriving all at once.
“Organizations tend not to realize that problem until they’ve gotten a request,” he said.
For organizations that have not built the processes to respond—or that are only now discovering what responding entails—that figure represents a readiness gap unlikely to close on its own.
The AI Mandate Without the Map
The AI governance conversation is unfolding against a very similar backdrop: pressure from above, uncertainty below, and a regulatory environment that has not yet kept pace with deployment.
Board mandates to adopt AI tools are real. While budgets have often been allocated, many organizations lack the infrastructure knowledge required for responsible deployment. Query an AI tool about something mundane, and it surfaces the CEO’s payroll information because access permissions were never properly scoped. The tool did exactly what it was built to do, and that is precisely the problem.
Costello described where HaystackID finds the most traction right now: helping organizations get from zero to implementation—establishing basic policies and procedures, mapping the data infrastructure, and understanding what these tools will have access to before anything goes live.
That work spans four connected areas:
- Doing inventory and classifying AI systems.
- Building governance programs.
- Validating high-risk systems for security and fairness.
- Implementing sustained oversight.
The objective is not a policy document that lives in a drawer. It is a repeatable operating model that holds up when regulators, customers, or the board seek that information.
The framework Costello draws on echoes privacy by design, one of GDPR’s foundational requirements. The logic is the same: bake compliance considerations into the tool or process before it goes live, rather than retrofitting them afterward.
“What we’re doing with AI is very similar,” he said to podcast hosts Mary Mack and Holley Robinson, referring to the methodology as “AI by design.”
For practitioners who spent the last decade building privacy programs, that framing is deliberate. The work is not entirely new; it just has a different label.
Everything Connects (Even When It Doesn’t Look Like It)
One of the more persistent failures Costello sees is the tendency of organizations to treat DSARs, data remediation, information governance, and AI governance as separate workstreams with separate owners and separate budgets.
Sitting beneath both DSARs and AI governance is a more foundational challenge: most organizations lack a clear picture of the data they already hold. A significant part of HaystackID’s advisory work involves going directly into clients’ Microsoft 365 and Google environments to assess what is there, what should be retained, and what has long outlived its usefulness. That groundwork is what makes everything downstream—DSAR responses, AI deployment, litigation readiness—significantly more manageable.
“Data remediation, data privacy, information governance, and AI governance are closely linked. AI adoption starts with understanding what data AI tools can access. Today, stakeholders can clearly see why these initiatives matter,” Costello said.
An organization that retains personal employee data well beyond its policy-defined limits will face a more challenging DSAR response than one that has enforced retention schedules. An organization that cannot map its data holdings will struggle to scope what an AI tool can access. An organization that has not done the information governance groundwork will be flying blind when regulators eventually demand accountability for AI decisions.
The practical payoff of recognizing those connections goes beyond compliance. Organizations that manage their data rigorously earlier in the process reduce downstream eDiscovery costs. Data that was deleted on schedule doesn’t need to be reviewed in litigation. As Costello noted during the podcast, the investment in governance yields returns that extend well beyond the regulatory docket.
The Atlantic Gap That Closed
Costello brings an unusual vantage point to this work: 18 years of personal and professional engagement with Europe, particularly Italy, overlaid on a US legal and eDiscovery career. The perspective matters because the issues are no longer as geographically distinct as they once seemed.
Years ago, the conventional wisdom held that Europe lagged behind the US in eDiscovery sophistication, TAR adoption, and document review technology. GDPR enforcement and the rapid adoption of AI-enabled tools changed that calculus.
“That gap between the two locations has closed, has closed tremendously, so that we’re talking each and every day with clients in Europe and in the US. The problems are the same,” Costello said.
What has not converged is the cultural approach. European employees, particularly in the UK and EU, exercise data rights—access requests, deletion requests, rights to correction—with a frequency and familiarity that US employees largely do not match yet. Some US states are catching up legislatively, California most prominently. But day-to-day organizational awareness in the US remains lower.
There is also a difference in tempo. The European work style—and Costello is candid that Italy informs his thinking here—allows for a more considered approach to new challenges. According to Costello, the US tendency toward the fire-drill, work-through-the-weekend mentality often compresses exactly the deliberation that responsible AI adoption requires. Understanding how a client works, how decisions move through their organization, and what their cultural defaults are is not peripheral to advisory work. It shapes what recommendations will land—and for organizations with exposure in both the US and Europe, having an advisor who has operated in both environments means the recommendations don’t have to be translated before they can be acted on.
Preparing for Enforcement That Is Coming
While the rollout of the EU AI Act has been delayed and the US federal AI regulation remains unsettled, that regulatory lag has reduced some of the urgency organizations feel to get their governance programs in order. But Costello is unambiguous about how that calculus will shift.
The organizations that treat today’s relative enforcement as an opportunity to build infrastructure—data maps, access controls, retention policies, AI use frameworks—will be in fundamentally better shape when stricter regulatory requirements arrive. Those who treat the delay as permission to skip the foundational work will find themselves scrambling to retrofit compliance into systems that were never designed with it in mind.
The cost of waiting is not hypothetical. GDPR fines can reach €20 million or 4% of global annual turnover. A single poorly scoped AI deployment that exposes sensitive employee data can simultaneously trigger regulatory scrutiny, litigation, and reputational damage. For legal and compliance leaders making the case for governance investment internally, the math tends to be more persuasive than the principle.
According to Costello, the AI tools organizations are deploying today are still in their infancy, and the full regulatory and risk implications won’t be clear for another two or three years. Organizations that do this work now will be significantly better positioned when the regulatory environment tightens.
The light-bulb moment Costello describes—when a stakeholder clearly sees how DSARs, data remediation, information governance, and AI governance fit into a single, coherent program rather than four separate line items—is the point at which the advisory work becomes genuinely consequential. Not because the insight is complicated, but because so few organizations have had someone lay it out that way. Once they do, the conversation shifts from “which of these do we tackle first” to “how do we build a program that addresses all of them together”—and for in-house legal and compliance leaders, that conversation is the most productive place to start.
That shift is exactly what HaystackID’s advisory team is positioned to drive—and, given what is heading toward legal and compliance functions from every direction, it is a conversation that cannot wait for the regulatory calendar to force it.
More About Ryan Costello
Ryan Costello is a seasoned legal and data privacy expert with deep experience in eDiscovery, regulatory compliance, and cross-border data management. Costello helps organizations navigate complex challenges in data governance, AI integration, and privacy compliance. His work focuses on proactive strategies for information security, data classification, and regulatory readiness, ensuring that clients stay ahead of evolving legal and technological landscapes. Before joining HaystackID in September 2024, Costello spent nearly six years at ProSearch, where he played a key role in advising clients on data protection, eDiscovery workflows, and compliance strategies. A U.S.-qualified lawyer, Costello brings a global perspective to legal consulting, having managed projects across the United States and Europe. His expertise spans GDPR, cross-border discovery, and privacy-first frameworks that balance innovation with risk mitigation. Costello holds multiple certifications from the International Association of Privacy Professionals (IAPP), including Certified Information Privacy Professional – United States (CIPP/US), Certified Information Privacy Manager (CIPM), and Certified Information Privacy Professional/Europe (CIPP/E). With a career that bridges legal, privacy, and technology domains, Costello is a trusted advisor to corporations and law firms managing high-stakes data challenges.

The podcast is available on your favorite listening app, including Spotify, Apple Podcasts, and Google Play. The podcast is also available on the EDRM website and is provided below for convenience.
Join HaystackID’s experts as they share actionable insights on today’s most material topics—from how GenAI is reshaping legal data strategies to the latest approaches in digital forensics. Explore our full library of EDRM Illumination Zone podcast episodes.
About the Electronic Discovery Reference Model
Empowering the global leaders of e-discovery, the Electronic Discovery Reference Model (EDRM) creates practical global resources to improve e-discovery, privacy, security, and information governance. Since 2005, EDRM has delivered leadership, standards, tools, guides, and test datasets to strengthen best practices throughout the world. EDRM has an international presence in 136 countries, spanning six continents. EDRM provides an innovative support infrastructure for individuals, law firms, corporations, and government organizations seeking to improve the practice and provision of data and legal discovery with 19 active projects. Learn more at EDRM.net.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface and eDiscovery AI™ technology. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
Source: HaystackID
Advisory Note: As organizations accelerate AI adoption, the challenge extends far beyond selecting the right technology. Understanding what enterprise data AI systems can access, establishing defensible governance frameworks, and integrating privacy, information governance, and compliance into deployment decisions are now essential business priorities. HaystackID’s AI Governance Services help organizations inventory AI systems, assess AI readiness, develop governance policies, validate high-risk AI applications, and implement ongoing oversight aligned with evolving regulatory requirements. Combined with HaystackID’s deep expertise in information governance, data privacy, DSAR response, eDiscovery, and cross-border advisory services, these capabilities help organizations deploy AI responsibly while reducing legal, operational, and regulatory risk.