[Webcast Transcript] The Rising Tide of DSARs: Transforming Access Requests from Compliance Burden to Strategic Capability

HaystackID Blog | June 29, 2026

Editor’s Note: Data subject access requests (DSARs) are no longer isolated privacy obligations. They have become a key indicator of an organization’s overall data governance maturity. As regulatory scrutiny increases and AI-generated content expands the volume and complexity of enterprise data, organizations need repeatable, defensible processes that extend well beyond manual compliance workflows. A recent HaystackID® webcast explores why DSAR readiness begins with strong information governance, data mapping, and AI governance rather than simply responding to requests as they arrive. The panel shared practical strategies for reducing costs, improving response times, and leveraging AI responsibly without sacrificing defensibility. These insights align closely with HaystackID’s Global Advisory services, which help organizations modernize privacy, compliance, and eDiscovery workflows. Whether preparing for regulatory inquiries, employment disputes, or broader litigation readiness, the discussion provides a roadmap for turning DSAR response into a long-term strategic advantage.

---

Expert Panelists

+ Esther Birnbaum
EVP of Data Intelligence, HaystackID

+ Ryan Costello (Moderator)
EVP of Global Advisory and Client Engagement, Advisory Group, HaystackID

+ Christopher Wall
DPO and Special Counsel for Global Privacy and Forensics, HaystackID

+ Patrick Zeller, FIP, CCEP-I
General Counsel, JetStream Security

---

[Webcast Transcript] The Rising Tide of DSARs: Transforming Access Requests from Compliance Burden to Strategic Capability

By HaystackID Staff

Read the full transcript below and watch the complete recording to learn how DSAR readiness can become a strategic capability that strengthens privacy, improves operational resilience, and delivers lasting business value.

---

Transcript

Ryan Costello
Hello, everyone. Thank you for joining today’s HaystackID webcast, “The Rising Tide of DSARs: Transforming Access Requests from Compliance Burden to Strategic Capability,” hosted by the EDRM. I’m Ryan Costello, executive vice president for global advisory and client engagement at HaystackID, and I’ll be the moderator for today’s program. The webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governance, and eDiscovery objectives. We’re recording today’s webcast for future on-demand viewing, and we’ll make the recording, along with the complete presentation transcript, available on our website at haystackid.com. It’ll also remain available in the EDRM’s global webinar channel throughout the rest of this quarter to support your continued learning and reference needs. But before introducing today’s speakers and diving into the program, I want to turn it over briefly to Holley Robinson of the EDRM, who’s going to show you some brief notes on how to use and work with and interact with our webinar console. So over to you, Holley.

Holley Robinson
Thank you, Ryan. If you look at the top of your screen, you’ll see the HaystackID logo, which you can click on to learn more about HaystackID. You’ll also see an option to contact Team HaystackID directly, along with speaker bios that let you learn more about today’s presenters. Moving down, you’ll see the Q&A box where you can type in your questions for today’s faculty, and we highly encourage you to do so. We’ll be answering questions during and after the webcast. Below the Q&A, you’ll find today’s resources, including the slide deck, a link to HaystackID’s DSAR Response Service fact sheet, and a link to learn more about HaystackID’s Core Intelligence AI Case Insight™ and Case Elements. There’s also a link to register for HaystackID’s upcoming webcast, “Insights from Experts on the Impact of AI on eDiscovery,” happening on July 22nd at 12:00 p.m. Eastern, and we’d love to have you join us again. Lastly, you’ll see some emojis down at the bottom of your screen. Please feel free to use them and react throughout the webcast. Back to you, Ryan.

Ryan Costello
Awesome. Thanks, Holley. And thanks again to all of you for joining today’s webcast. Again, on today’s program, we’re going to get into how you can build a practical framework for managing DSAR response at scale for transforming DSAR responses into a strategic capability that encompasses compliance, governance, AI oversight, and much, much more. As I said, my name is Ryan Costello, and I’m Executive Vice President of global advisory and client engagement here at HaystackID. I’m joined today by three colleagues and friends who know the ins and outs of this topic from several different vantage points. So, legal, technology, and global privacy strategy, I’m really excited to have all three of them here today, and I’m really excited for what they’ll be able to share with you on this topic because there’s a lot of great knowledge here. So I want to start with my colleague, Esther Birnbaum. Esther is executive vice president of data intelligence at HaystackID. She leads our strategic work integrating AI technologies and data solutions across legal compliance and governance workflows. She started her career as an eDiscovery attorney at top-tier law firms, but then she went in-house as associate general counsel at Interactive Brokers, where she built their eDiscovery program from scratch and pioneered AI-driven workflows for financial services litigation support. Esther, great to have you here, and thanks for being here with us.

Esther Birnbaum
Thanks, Ryan. Really looking forward to this. When I came over to HaystackID, one of the first things I said using AI is, “My background’s in discovery. We know how to do this, so let’s do it smarter.” So really excited to have this conversation.

Ryan Costello
Awesome. Thank you. Next up is my colleague, Chris Wall. He’s our data protection officer at HaystackID and special counsel for global privacy and forensics. Chris helps our teams’ clients and our teams internally navigate cross-border privacy and data protection issues tied to things like cyber investigations, data analytics, and discovery. He started as an antitrust lawyer before moving into technology consulting way back in 2002, and he’s led cross-border cybersecurity and forensics investigations at global consulting firms, as well as at HaystackID here. So, Chris, happy to have you here as well.

Chris Wall
Thanks, Ryan. Really happy to be part of this.

Ryan Costello
Very good. And last but definitely not least is my friend and yours, Patrick Zeller, general counsel at JetStream Security. Patrick was most recently, before joining JetStream, Aristocrat’s senior vice president and chief privacy officer, where his team owned privacy, data protection, cybersecurity, GenAI, and data compliance across more than a hundred different jurisdictions. Earlier in his career, Patrick was a litigator and a federal computer crimes prosecutor, and he’s built global privacy and information governance programs covering the GDPR, the CPRA, and data protection regimes all over the world, including Brazil, China, Vietnam, Russia, and even further afield than that. Patrick, great to have you here. Thanks for joining us.

Patrick Zeller
Thanks, Ryan. Long-time listener, first-time caller.

Ryan Costello
So that’s our panel, everybody. So we’ve got a great mix here of really practical wisdom and intelligence around this. We’ve got data intelligence. We’ve got a legal background. We’ve got global privacy leadership. And that’s really a great mix to be talking here about DSARs, because DSAR’s, data subject access requests, touch on all those various disciplines. But to really start the program, I wanted to lead off with kind of a rhetorical question for everybody on the call today. And that question is, what is one privacy obligation that quietly, and often not so quietly, touches legal, HR, IT, and compliance, but still manages to somehow be a surprise each and every time it pops up in organizations? And that is not breach response. That is not a data protection impact assessment. And it’s definitely not privacy notices. What we’re talking about are data subject access requests, or DSARs. So Article 15 of the EU and UK GDPR, and then certain individual privacy rights under legislation, including in California, Brazil, and elsewhere, offer this right of access, which is the right of an individual to access or receive copies of certain information that an organization might hold about them. The right of access over the last few years has really evolved into more of a… really from something that was first seen as a manageable compliance task into something that’s really far more complicated and far more difficult for organizations to work through. So part of what we want to cover today is to talk through why that is and some background around… Sorry. I’m jumping around on the deck a little bit, but I found the slide that I wanted. We want to talk through some background on why this particular compliance requirement has become so complicated and how it can lead to a larger strategic capability and framework within organizations that have to respond to these. So today, again, I want to talk you through what’s really driving DSAR growth, why costs are spiraling, where organizations specifically are struggling with this compliance requirement, and then most importantly, how to transform DSARs from a reactive burden into a scalable strategic capability. Let’s start with what’s happening on the ground, okay? DSARs, as I mentioned a moment ago, are the right of access, so the right to receive a copy of information that an organization holds about an individual. Anyone can bring about that right of access, provided they meet the criteria laid out in the legislation. Generally, it’s going to be… Or oftentimes, it will be a customer or a client executing a DSAR. So if I am a client, say, of British Airlines, and I would like to ask for my right of access to the information that British Airlines might have about me… I pick on them. I’m currently in Europe. Flew on that airline. But really, any organization based in the EU, or this is a right that attaches to any EU individual. But I could ask British Airlines for that right of access, and they would be required to furnish to me my personal information that I’ve given them, anything about my customer profile or information about me, my buying history, and maybe even trends that they’ve analyzed on what my future buying history might be or anything else that they’ve done with that data that they hold about me as an individual. Generally, when organizations are responding to those customer or client DSARs, it’s fairly straightforward. It’s strategic data that’s held within… Or excuse me. It’s structured data that’s held within an organization. They know where that customer data is. When they receive an access, you can kind of pull it and provide it in some sort of easily accessible means for me as the individual executing that request. Where DSARs get much more complicated is when we are looking at access requests from employees, ex-employees, or even job applicants to an organization. So that is where these can get much more complicated, as we will have much, much more data that falls within the scope of what that person can request. You can imagine if someone’s an employee of an organization, they’ve been there a very long time. They’ve asked for all that information. It will be their payroll information and so on, but it will also be correspondence about that individual, so where they’ve interacted or engaged with other people in the organization. But it might also be other people in the organization who have talked about that individual in any capacity, whether via email or Teams or Slack messages or some other means. So you can imagine that where we have kind of a difficult or a contentious workplace incident or a performance review that went poorly, that can lead to a lot of information that that person is looking for as part of that request. Now, that’s gotten very interesting over time. And where we’ve landed now in 2026 is that of all the DSARs that currently are reported each and every year, 67% come from current or former employees or even job applicants of an organization. So two-thirds of all requests, so EU, UK-wide, even globally come from people who are employees. They aren’t customers, and they are clients except for that 33%. So that’s where most of these requests are coming from. That’s a huge statistic right there. Over 70% of EU and UK organizations have received at least one access request from an employee, an ex-employee, or a job applicant. Again, so this is most organizations, and most requests come from employees. And of the total amount of requests overall, we’re seeing a growth year over year of 40 to 60%. So that’s not just a gentle increase in the number of requests, it’s an exponential jump year after year. So it begs the question, what’s driving people to execute these requests? It might be some privacy awareness in the part of individuals to be sure. Oftentimes, it’s workplace dynamics. But as I said a moment ago, what is increasingly driving DSARs that we’ve seen on the ground are disputes at work, things happening during an exit or an offboarding or an employee, or we see positioning that’s happening ahead of an employment tribunal matter in the UK or employment litigation of some kind. So again, that’s what we’re seeing on the ground. That is what’s driving these DSARs in most cases. And again, what they’re asking for in these requests, again, from employees, ex-employees, job applicants, they’re asking for emails. They’re asking for messaging application messages, so like I said, Teams, Slack. They’re asking for discussion around performance reviews. They’re asking for internal discussions that happen about that person when they return from maternity leave, say, that led to a controversy. So that’s what we’re seeing. And what is really curious about that is the DSAR has gone from a compliance requirement to really a window into the organization, but specifically the data management of the organization. And that’s really where I want to jump over to our panelists to talk a little bit about this. So, Patrick, you’ve run privacy programs across more than a hundred different jurisdictions for years. I know that you’ve seen this employee-driven trend across DSARs. What does that really look like from your perspective and in your experience?

Patrick Zeller
When CCPA and CPRA went into effect in California, I was at a company. We built the processes to respond. We did not see very many. And then over time, we’ve seen those numbers skyrocket. We’ve also been seeing an increase in the number of requests from attorneys on behalf of clients. And one of the things I always do when I have global responsibility is I sort of divide it into buckets, right? California laws, other states in the US, the EU, you mentioned Article 15, potentially China and Brazil, sort of building processes that are, whenever possible, very similar, and then being able to repeat those processes, right? Because you’re going to inevitably have cross-border data requests as well.

Ryan Costello
Right. Right. Really interesting. So yes, that’s curious that people can go to have their attorney or their legal counsel carry out a request on their behalf, which is really curious. But people can also do it themselves, obviously. And we see that with the use of generative AI tools, people might be leaning on those to help them execute requests. So AI comes in at that side of it, but also in other perspectives as well. Esther, you have worked with me and others at HaystackID on building out our AI-enabled DSAR response workflow, and you’re very familiar with all this. Could you talk a little bit, from your perspective as an AI expert, about how generative AI and these tools in general are changing, whether how DSARs come about within an organization, or how they’re responded to?

Esther Birnbaum
Well, I think there are two sides of the coin, maybe three. The first is that when requesters are using GenAI, they are able to really understand the scope of what they’re able to request. And that could be a good thing or a bad thing because I’ve seen DSAR requests that are basically throwing the book at you and say, “Every mention of an employee in a company needs to be produced,” which is just a huge burden and usually negotiated down. So if requesters are using AI to actually focus their requests properly, it could be really helpful, but there’s a flip side to that, that they can be using AI to create much more involved, much more specific, and much harder to respond to requests. Now, on the flip side of that, we use AI to respond to them. So we’re kind of in a cycle where we built an AI-powered DSAR response because at our core, we know that this is discovery. We know how to do this. We know how to do it with AI. We can identify the right data. We can auto-redact. So we’re able to respond better, but AI also opens up an even bigger question of, “What about generated data? What if HR data is indexed and you have an internal-facing GPT or an enterprise account, and suddenly there is employee information in generated responses to AI queries?” So there are a lot of different levels when you look at this from an AI perspective, which I think we’re seeing across the board in legal and compliance in general. So I think my biggest takeaway from this is, yeah, the requests are going to get more difficult, the data’s going to get more difficult. We need to use technology to help us match that and respond better.

Chris Wall
Hey, Ryan, can I jump in here and just mention, too, that as you’ve been driving home with the statistics… And as Esther and Patrick have pointed out, I mean, it’s a really more complex area, but DSARs are really, really interesting right now because they sit at that intersection of privacy, data governance, defensibility, execution, and now also AI. Because everything’s AI now, right? And that’s a very, very busy intersection. We see near misses. We see collisions. We see fender benders every day at that intersection as organizations are trying to do more and more with that data constructively and to do it in a way that’s defensible and efficient. And I think you touched on this, and Patrick also touched on this a little bit, but we’re seeing a lot more of these sophisticated requests, including the ones that are not just driven by AI, but the ones that are driven by AI and the so-called DSAR trolls, right? Those who are looking for any lapses in response and the potential windfall that those lapses might present. So I think we’re seeing more requests, more complexity, and, at the end of the day, a lot more risk.

Ryan Costello
Yeah. Thanks, Chris. Appreciate that. So again, we’re talking more of a global reach for these requests, more volume, as I made the point a moment ago, but also more complexity. And of course, all of that contributes to cost implications. So I wanted to kind of turn and talk about that just for a minute. Globally, if you look at just the statistics, each DSAR request on average costs about $1,500, which doesn’t seem to be that bad. But as I made… or tried to make the point a few moments ago with the British Airlines example, customer client DSARs tend to be fairly straightforward, less complex. The complexity and a lot of the nuance and that intersection that Chris is talking about, again, that’s with employee DSARs and those situations where things really change the cost picture of this. Where we have more complexity in these DSARs, again, we’re seeing something closer to about $20,000 per request, if not higher. And to Patrick’s earlier point, oftentimes individuals are using counsel, legal counsel, or going through an attorney on this, and organizations are using outsourced legal support or help with their law firm or otherwise in order to respond to these requests. And where that happens… And again, we’re dealing with that complexity. We’re talking about $25,000 or more for each and every request that comes through. So, a manual sort of non-repeatable, non-scalable process for this becomes very, very expensive. Across the UK, organizations spend about 1.5 million annually on DSARs. So you can see as the complexity grows, as these things sort of develop, they are getting increasingly expensive, which becomes a risk to an organization of all kinds in how they effectively respond to these. There’s also an enforcement picture, though. So this is a regulatory requirement, and so there’s enforcement that adds additional cost and risk, as well as the actual cost of just the response. And so, Chris, I wanted to see if I could turn to you for a second to talk a little bit about maybe some of the enforcement picture around data subject access requests, what we’ve seen out there, and how that’s impacted organizations directly or indirectly.

Chris Wall
Yeah. I think at the end of the day, what we have to think about is where that data actually resides, because that’s where the enforcement response starts. And then really, that’s a fundamental IG exercise of data mapping and classification. So maybe in a simple DSAR, you have to query maybe a single mailbox, but if we’re talking about an employee dispute in a cross-border investigation, and maybe we’re dealing with both structured and unstructured data across multiple jurisdictions, that changes the calculus significantly. And at that point, everything has to be handled to a forensic standard, right? You’ve got to have all of those things that you would have in the traditional eDiscovery world, a clear forensics world, and a chain of custody. You’ve got to have a validated collection method, your fully documented decisions. And that’s where you get that huge number that Ryan’s talking about, that 20,000-pound figure for these data subject requests. I think about it in these terms. DSAR is analogous to a patient who shows up presenting with chest pain. And so the doctor’s cost of diagnostic workup may be high. You’ve got to do a lot of tests. But that chest pain itself is just a symptom. The underlying condition might be heartburn, but it might also be sclerosis, congestion, or an organization’s inability to quickly locate, validate, and then manage personal data across its systems. So until that underlying heart condition can be addressed, the organization’s going to continue to have those high costs every time that they receive a data subject request. And to take that analogy maybe a little bit further, we wouldn’t get worked up about chest pain, I guess, if we’d been doing what we all know that we should have been doing for all the last 30 years, getting enough fiber, eating our vegetables, and otherwise having a good information governance diet, exercising good data hygiene from the beginning. I think at the end of the day, this manual fulfillment of every data subject request, it pulls in legal, it pulls in privacy, HR, IT, records management, lots of different business stakeholders. And if it doesn’t in your organization, probably it should. In the organizations that I come across, it is an all-hands-on-deck kind of thing, depending on where that data touches, and typically, it touches many, many different parts of the organization. So from a regulatory standpoint, there’s a great opportunity there for organizations now to have the catalyst to get their information governance house in order and to get on that good data hygiene plan.

Esther Birnbaum
Yeah. And you know, what Chris says is really important. We’ll call it the information governance, data hygiene, record-deleted piece. And that’s something we’ve been talking about for a long time, but it’s an area that historically nobody wants to spend money on. All large companies have messy data somewhere, and that is really the biggest problem when it comes to DSARs: where is that data? How do we find it so that we can produce it? And the interesting thing is that because of the threat of a DSAR and not being in compliance, any non-compliance gets reported to a DPA, a data protection authority, which means now you’re on their radar. And if you’re on the radar of a regulator, that’s never a good thing. You don’t want them digging into what your data hygiene and your privacy practices are, because that could potentially lead to a much larger fine. DSARs could be used as the impetus to say, “Look at the potential ramifications of doing it wrong. And look at proactively cleaning up your data, understanding your data, indexing your data, whatever you have to do to be in compliance with whatever regulations that you’re under.”

Chris Wall
I think organizations are being assessed not just on whether they respond, but also on how well they respond. And in my experience, it’s pretty uniform across the board that there are three areas where organizations feel pressure, and that’s in the timeliness piece, because you’ve got a very limited timeframe in which you can respond to one of these requests; completeness of that response; and then ultimately it’s the defensibility. How did we arrive at our assessment that it was a complete response? And if any of those are really lacking or lacking in any way in a response, that response then becomes really difficult to stand behind. In other words, it’s not really defensible. So it’s not just about responding, it’s about being able to defend the response.

Esther Birnbaum
And not just defend the response. I mean, that’s important. And you make a good point that it’s not always… What regulators look at is not always the end product, but it’s having the policies, having the procedures and showing, for lack of better term, good faith because with all the technology, with all the data generated, with everything that has happened in such a burst over the last many years, there has to be an understanding that you’re not going to be perfect, but you have to show that you’re making the efforts to be in compliance. That’s always step one, like the policies, the procedures, and really show your diligence.

Ryan Costello
Thank you both for that. Patrick, I just wanted to turn to you with a question on all this. So we’re talking about the complexity. We’re talking about data hygiene, data management. We’re talking about all the different facets that go into this, including the sheer number of people or teams that are involved in a DSAR response. You’ve had all this advantage kind of building teams to respond to this globally. How do you use the complexity and the cost considerations and enforcement to create a budget line for this? Or how do you make the case to the execs or the C-suite, “We need this investment in this in order to be able to respond to these effectively”? So I’m thinking now of kind of mid-size organizations that may not have, say, a six-figure budget for this, but understand all the complexity involved. How do they help make that case?

Patrick Zeller
So I think phase one always starts at, like, “What do we have? Where do we have it?” This was a big thing under JDPR and for eDiscovery. And you really need to assemble the stakeholders, compliance, privacy, whoever’s helping with data protection, the CISO, and potentially the eDiscovery team, and sort of build that defensible, repeatable process on how we’re going to respond, and I think measuring the trajectory of these requests and building sort of the business case to get the funding you need to be able to respond. And Esther had a really good point, and we’ll talk more about this later, but it’s very easy for regulators to see if you’re operating under that umbrella of good faith based on what you’ve set up. We can talk more about that in a minute.

Chris Wall
I think it’s about consistency, because in legal or privacy work, scalability… And we do keep kicking around this term, scalable. And what does that mean? But in legal and privacy, it’s about doing more. Well, I guess it’s not so much about doing more. It’s more about doing it the same way every time, no matter how many requests come in. It means your process works just as well on your busiest day as it does on the quietest day of getting those requests. That’s scalability in my mind.

Patrick Zeller
Totally agree.

Ryan Costello
Definitely. Thank you both. And if I’m hearing you right, as well as what Esther’s had to say on this, it’s really not a question of how to respond to the DSAR, but it’s the data management problem that underlies the request itself and how you manage it. So knowing.

Chris Wall
Yeah. And I think that’s got…

Ryan Costello
… where your data is… Yeah, sorry. Go ahead, Chris, because I think we’re…

Chris Wall
I was just going to say that that’s got to be documented, right, Ryan? It’s got to be documented. And that dictates how you manage. Esther kind of hit this home a few times there. If we’ve documented our process and then we follow that and we document the fact that we followed that process every time, consistently, even on a scaled basis, then it’s going to be defensible. And look, our enforcement agencies are going to look a lot more favorably upon our response if that’s the approach that we take.

Ryan Costello
Definitely. Yeah, thank you. And I think that’s really the struggle here. Again, what we’ve seen on the ground with this is that organizations don’t have a complete data map. They’ve got some sort of fragmented system of data. We may retain data too long, or at least have policies around it, maybe that aren’t fully developed, or not applicable, or need to be revisited. That’s often the case. And just relying too much on a manual reactive process each time a DSAR comes in is viewed as a huge headache as opposed to an opportunity to really revisit a lot of what’s happening with data management.

Esther Birnbaum
Yeah. And I want to bring it back to a lot of what is required in general in legal and compliance. You get inquiries from a regulator. You have a litigation. At that point, you should know where your data is. So DSAR, we’re talking about it in the context of DSARs. But when we get to those points of, “Okay, we’re being asked for it,” that’s not the time to scramble to figure it out. The time to scramble is being proactive, and it’s very hard to get corporations to be proactive and spend money before they see fines, but it’s very-

Chris Wall
Kind of hard to repeat a scramble, right? Sorry, Esther. Very hard to repeat a scramble.

Esther Birnbaum
No, no.

Chris Wall
Right?

Esther Birnbaum
It’s true. It’s what we say in eDiscovery all the time. This isn’t the time to figure out how to access your data, especially with the timelines required by things like DSAR requests. What, 30 days, maybe you can negotiate? There’s a really quick turnaround. So I think we’re seeing companies, corporations wake up and really pay attention to this more and more. Chris and I were in England last week, and it was… We said the word DSAR to anybody, and they were interested because there is… We’re seeing more and more of it. We’re seeing more employees know about it. We’re seeing employees use AI to make very difficult requests, and companies are starting to understand.

Ryan Costello
What goes into understanding a lot of the data infrastructure that underlies this and whether… And can we use, Esther, AI to help support that? So whether we’re an organization that uses Microsoft 365 or we’re using Google applications… Maybe it doesn’t matter what tools or resources we use. What do we need to look to from an infrastructure perspective? And how does AI impact or change any of that?

Esther Birnbaum
Yeah, that’s a great question. And I think that the difficulty is looking back at the data infrastructure we already have and then saying, “Let’s use AI on it.” Because in order to do that, in order to properly use AI… And GenAI is incredible at understanding data, classifying data, and identifying data, but the data has to be searchable, and it has to be indexed, and so we have to even take a step back. Now, a lot of the privacy regulations require you to know where client PII is in your data. So when you’re setting up things like data lakes or repositories or archives, you should already have kept that in mind, that you’re going to have to search your data. You already have to know where the PII is. So moving forward, I think we’re going to be in a significantly better place where deploying AI onto your data is going to be easy because it’s set up to be searchable. But right now, I think we’re not there. And the process to get there is pretty involved because your data has to be indexed properly to search it in order to do all of this. And it’s difficult. Something in Microsoft 365, which means accessing it in Azure in order to process an index and search. So it can be done, and it should be done. It just needs to really be thought out in order to achieve it because it’s not a small ask.

Chris Wall
Hey, look, for a lot of.

Ryan Costello
Patrick…

Chris Wall
.. organizations.

Ryan Costello
Oh.

Chris Wall
Sorry, Ryan. There’s a little delay here, I think.

Ryan Costello
Chris, yeah, please jump in. And then I’m just going to turn to Patrick with a follow-up to that.

Chris Wall
A lot of organizations, probably most large organizations today, use M365 as their primary system for record retention and disposition and for identifying DSAR-responsive data. And usually, like we’ve been talking about, that’s going to be an email, it’s going to be Teams, it’s going to be SharePoint. And that reality, the adoption of M365, makes that kind of infrastructure central to DSAR readiness, obviously. And Microsoft Purview and tools like that definitely can help support classification, retention, and disposition. Any discovery readiness… We keep talking about discovery here. But just as important, that defensible deletion and data minimization practice, whether you’re using M365 or some other tool, really can reduce the scope and the cost and the friction of a DSAR response. But that DSAR posture’s only going to be as good as your data foundation because good governance reduces bad surprises. And in practice, companies often need both defensibility and technical fluency, I think, to be able to make those environments work in a way that their privacy programs and their AI programs are really going to need. So I’m going to beat that drum a little bit more, and I’ll throw in another information governance pitch here, because defensible deletion and data minimization really can significantly reduce DSAR costs, the cost of any DSAR response. Because if you don’t have it, you don’t have to conduct discovery on it, and you don’t have… If you don’t have it, there’s really not much to search for in a DSAR response. So I’m going to keep beating that IG, that information governance drum, because that’s really where it starts.

Esther Birnbaum
I want to add to that and say that you need to really pay attention to retention policies on generated data. I think we’re going to see our data volumes exponentially increase if you’re using something like Copilot and all your data is being retained. There are so many questions out there relating to that. I can go in so many ways. I’m not going to because we’re focusing on DSARs. But if you ever want to talk about all the complications in legal that those bring up, give me a call. But really, the more data you have, the more expensive DSARs are going to be. And think about generated data, and think about how much data an employee can generate in an hour. It’s pretty incredible now.

Ryan Costello
Patrick, I wanted to turn to you for a second, kind of on the back of this conversation. Again, you’ve done a lot of this work with privacy programs. How important is, from your perspective, global information governance, data mapping programs, and what you’re involved with now, AI governance? How does all that come together? And then more specifically, and I’m kind of paraphrasing from a question we’ve received, but are there certain sorts of geolocations globally that you need to focus on or target first if you’re involved in this sort of exercise from a data management, information governance, mapping, or AI governance perspective?

Patrick Zeller
Yeah. So let me start with the scope, and then I can work into those questions. And again, like Microsoft 365, but are there.

Ryan Costello
Sure.

Patrick Zeller
… other tools employees are using to communicate that’s work-related, that’ll capture this? And then the use of AI has exploded. It’s everywhere. People are using it. Esther mentioned the use of Copilot and the amount of data that can be created. And a lot of companies are not thinking about AI search queries needing to be preserved for internal investigations or potentially for litigation. But then also, are they going to contain information related to DSARs, right? So if your HR department is using an enterprise AI tool to process compensation or whatever, are you going to need to go into those for an employee DSAR request? I think there’s absolutely been an uptick. The European Union’s been sort of leading the way. California’s picking up quickly. But we also see employment plaintiff’s lawyers leveraging this as a tool to get discovery sort of ahead of time. And one question I might pose to the group is, what if a company responds and they’re like, “Oh, we only have these 10 pieces of information on the employee,” and then they go into litigation, and now they’re producing hundreds of pages? So if they’re not doing a full production initially to the DSAR, is that going to sort of put you in a cage on what you can produce at litigation? I mean, there’s a lot of interesting things going on here. AI has done nothing but greatly complicate everything. I mean, AI is incredible, everybody’s using it, there are a lot of advantages, but there are a lot of nuances being created here as well.

Esther Birnbaum
Yeah. I mean, that’s a great point. And I think we should mention that very often the DSAR requests are used as really pre-litigation discovery. So they are weaponized, even though that’s not the intention. So what Patrick is saying is really something you have to think about because it’s not necessarily a one-off. It might just be the starting point for some greater action.

Patrick Zeller
Exactly. And this is something we saw in the FOIA, Freedom of Information Act, world in the government a long time ago. And courts have since ruled that you can absolutely use FOIA requests to supplement discovery, and I don’t see this being very different.

Esther Birnbaum
That’s right.

Ryan Costello
If we’re responding to a DSAR and it’s very clear that it is a discovery phishing expedition, does that change anything about how we respond to it at all? Or do we just accept that?

Patrick Zeller
I think companies will route those to their employment litigation group because they can sort of hear the footsteps of a case coming, so they tend to be handled differently as opposed to an employee who has left or wants their information deleted or somebody who applied for a job that wants their information deleted. But yeah, we’re seeing more and more of them, and they’re becoming more and more complex.

Esther Birnbaum
Yeah. And I think the reality is, you know, there’s an employment problem, somebody was fired, or there’s a work-from-home issue or a performance issue, and the DSAR request centers around that, you have an idea where it’s going.

Chris Wall
And it does keep bringing us back to defensibility, guys, right?

Esther Birnbaum
Yeah.

Chris Wall
If your response to one of these data subject requests is different from what you end up producing in discovery, you’d better have a good reason for why that is. And that comes down to your documentation of your processes and making sure that you can demonstrate that you took all reasonable steps to respond to that DSAR in the first place.

Esther Birnbaum
Yeah. Chris and I always agree.

Chris Wall
Keeps going back to that.

Esther Birnbaum
… on the principle that is always defensibility first. So in that lens is… I know, Patrick, we’re concerned about what’s happening down the road, and the way we respond to DSARs has to be defensible and has to be defensible today, and it has to be defensible in litigation.

Patrick Zeller
Absolutely.

Ryan Costello
Defensibility first, I like that mantra a lot. Where there has been a regulatory response to access requests in any capacity or even just general regulatory enforcement in the EU, UK, do we know what regulators are looking for? And I suppose this is a question for Chris or Patrick. Do we know what regulators are looking for when we’re talking about defensibility specifically? So, in the manner of how we’ve responded, how do we make sure that we haven’t left data on the cutting room floor, so to speak, when we search for the information that’s pertinent to that request? Is there a checklist exercise that they’re looking at, or is there some other criteria that they’re applying to the regulatory enforcement around these requests, to the extent you guys have insight into that?

Chris Wall
Patrick can weigh in here from the enforcement standpoint, but I think what the enforcement and regulators are looking for, first and foremost, is what processes do you have documented and in place to begin with, okay? And second of all, did you follow those, and are there exceptions to how you follow them? Were you consistent in following them? And did you document those steps in following them? I think that’s where it starts. And then you can start looking at what you actually delivered as part of your response, but I think it has to start with what processes you have in place, because that demonstrates whether you, as an organization, take it seriously and whether you have taken it seriously from the beginning, even before receiving the data subject request.

Patrick Zeller
Yeah. I mean, I totally agree with Esther’s comments before, right? It’s the umbrella. I always picture those old travelers’ insurance where there’s the giant red umbrella. You need to be under the red umbrella of good faith. And it’s fairly easy to see, right? Do you have a process? Is it defensible? Are you leveraging your existing eDiscovery tools to do this? Are you just producing emails? It’s pretty easy to look at a file and tell how much work was put into this, right? Do you have anything from Slack or Teams or whatever else the company’s using? And they’ve certainly seen good compliance and what that looks like, how many data sources there are, what’s being produced, how big the volume of data is, based on the person’s position and how long they work there. So it’s very easy to tell if somebody’s just phoning it in and printing a couple of pages. And if it’s coming, they send the HR folder or the narrowed-down HR folder as opposed to everything else, right? And if they ask for your records retention policy and they look at other productions for litigation, they’re going to see a huge delta.

Chris Wall
It’s that five P rule, or six P if you’re from the military, right? Proper preparation prevents poor performance. DSAR readiness creates value way beyond an individual DSAR response itself through enforcement and into discovery, into litigation, and into information governance across the board. There’s a great value in that, and not just from an enforcement standpoint.

Ryan Costello
That’s great, guys. Thank you. Lest you all think I buried the lede here, I did want to pivot from that from defensibility and actual process into what a DSAR response workflow might look like. I think that’s important to discuss as part of this. We’ve talked about data management. We’ve talked about scalability. We’ve talked about defensibility first, but what does the actual DSAR response look like, and how can you sort of optimize or create efficiencies around that? So I wanted to turn to that towards the end of the hour. And Esther, I wanted to call on you, if I could. Could you talk a little bit about what we’ve seen in terms of an optimized DSAR workflow and what that might look like for an organization, including if they want to consider an AI-enabled workflow or not?

Esther Birnbaum
Yeah. So step one is DSAR readiness, which we’ve covered. And assuming we’re there, I look at it… And like I said at the very beginning, I look at it as every discovery process we have. So the more of a workflow and a process that you have, the better you’re going to be. And very often, employee DSARs come down to you having to turn over data that is about that dispute, and those are the contentious ones. Sometimes it is about deleting your data or obfuscating your data, but I think a lot of what we’re talking about is the ones that are almost weaponized, used pre-litigation or settlement. And those are often about some type of dispute within the company. And so what you’re actually… They tend to get negotiated down to you looking for the data that’s relevant to the dispute that has the requester’s PII. Really, those two points are what it boils down to. That means you’re doing a relevance review. And very often after that, the requirements are to redact everything unrelated to it. The redaction requirements are often very burdensome. So if you have a process that you can collect the data, run a relevance review, and then do redaction, that’s where you’re starting. I don’t think it’s going to be a surprise to anybody who knows me that I say do it with GenAI. Relevance review with GenAI is fantastic. We’ve built a process where we use a low-cost tool to really do this efficiently. And we pair it with human-in-the-loop to make sure that everything is validated and defensible. And then we use GenAI to do auto-redaction, and it really cuts down on cost and time. And cost is always key. But I think in DSARs, again, I’m going to emphasize the time aspect to it because it’s often very, very short. And being able to leverage AI and do this in an efficient way, in a defensible way that I would often argue is better than doing a human linear review, but we could talk about that also another time. That’s the way I see it working. And we’ve seen it done over and over for the clients that we work with in really efficient ways with AI.

Ryan Costello
Thanks, Esther. We had a great question, and I was going to talk a little bit about this slide, which kind of sums up some of the points you were making, but there’s a really good question here. Was going to save it till the end, but I think I’ll just jump to it. If a regulator challenges a response, how do you defend an AI-assisted process as complete and defensible?

Esther Birnbaum
You document it. You have a methodology that’s documented. You can audit every part of it. You are validating your methodology. The question I used to always ask is, “Can you write a defensibility memo about the entire process we just did?” And the team that’s doing it has to say yes. I now trust our teams, not that I ever didn’t. But when we were starting with AI, and we were learning with GenAI and learning the ropes and learning about validation, recall, and precision in the context of GenAI, that was a question I would ask. “Write a defensibility memo. How did you do your collections? How did you do your review? How did you do your redactions? What were your validation methods?” The same way we validate most things with data.

Patrick Zeller
Yeah, that’s a great point. I’m still playing with this analogy from the eDiscovery days of negative search hits. How do we know when we searched the lake for fish, we got all the fish that we needed, right? So, statistical sampling, using other tools. There are ways to test, look for standard deviations, and document that you’ve tested it and you’re confident in your process because of X, Y, and Z. So, as these new technology issues come along that we have to deal with, I think we need to not panic and think about what we’ve done in the past from eDiscovery, GDPR, privacy, or cybersecurity. And a lot of times it can involve a technology solution with proper documentation and processes.

Esther Birnbaum
Yeah. And to add to that, I think that there’s been… I don’t want to say hysteria, but there’s been a lot of questioning around GenAI results. In some ways, I think they’re being held to a much higher standard than human-based results. And just to share one situation, one question I got, and it was about variability, because we know that there’s variability in GenAI. And when you’re validating a review, whether it’s DSAR, whether it’s discovery, aren’t you concerned about variability? And the answer is we can test for variability. So we ran the same set of data with the same model with the same prompts, and we did this with 40,000 documents five times, and our standard deviation was less than 1%. Now, how would you test that when you have 15 humans coding a review with their own subjectivity? So I think it’s always really important when we talk about AI workflows and how to do DSARs with AI workflows that we speak from a rational perspective where we’re able to scientifically calculate things like validation in a way we almost never could before. So I think it’s a great question. And I think the defensibility question, when it’s challenged, “How do you defend it?” and I can give you the same way we defend everything, with sampling, with recall and precision, with validation.

Ryan Costello
Great response, Esther. Thanks. And thank you for the question, whoever asked that. That was spot on. Really appreciate that. Just to kind of wrap up what you’re looking at on the slide here, I mean, really, we… And this goes to everything we’ve talked about over the course of the hour, but your actual DSAR execution focuses on that collection piece, sort of that data management piece, ensuring that the data that you’re collecting and how you manage the data, that the collection process is important at that sort of first phase. And then we talked a little bit about this with Esther, but optimizing the review process, just the accuracy that goes into that. And of course, this defensibility first, sort of audit-ready deliverable for the data subject, how do we build all that into our execution? And I think we laid that out hopefully in a helpful way for everyone here. But we are getting close to the top of the hour, so I wanted to move to our final slide and just talk a little bit about kind of closing this down and maybe going to each of the panelists for some final thoughts, so just to kind of encapsulate some of the things we talked about. We’re seeing an increase in DSARs and the complexity that goes into this. We’ve established that some of the regulatory pressure around these requests, and just privacy rights in general, is growing. I think it’s clear. I hope it’s clear that, amid a lot of what we talked about, that sort of an ad hoc and manual reactive process for responding to DSARs, that’s not going to work. And really, what we’re looking at is data management, defensibility first, and a certain readiness around data information governance and AI governance that leads to not only scalable execution, but also kind of reduces costs and gives us something much more valuable, which is insights into our data environment and general data hygiene that goes into all of this. And so with that said, I wanted to see if I could go to our panelists for one final thought, maybe 30 seconds. Ladies first, we’ll start with you, Esther, and then we’ll do Chris, and then Patrick, and then see if we have any questions from the audience. And if not, we can wrap for today. But Esther, just a final consideration here in maybe 20 to 30 seconds?

Esther Birnbaum
Yeah. I think the most important thing is that DSARs are coming at you, but a lot of what we talked about is applicable more generally, when it comes to data and AI governance, data retention, and data hygiene. So I really encourage people to start thinking about all of that proactively.

Chris Wall
And if I had to leave a couple of thoughts here, it’s that our goal here was to help listeners and participants on our webinar look at ways to reduce cost, mitigate risk, and strengthen your overall data governance posture, not just DSAR response. So if I had to leave just one or two points, I guess it’d be we’ve got to go from reactive to repeatable. And I know maybe it sounds a little pithy, but we need to take something painful, like a DSAR response, and make it a strength. We’ve got to take that heart attack and make it the catalyst for healthy living. We turn that obligation into an advantage for us long-term. I’ll kick it over to Patrick.

Patrick Zeller
Thanks.

Ryan Costello
Patrick, one final thought, and then I’ll close it out.

Patrick Zeller
Yep. Everybody’s heard that AI is working with a really smart intern. I would argue it’s like working with a really smart intern who’s dating the son or daughter of the CEO, so you need to be careful what you’re doing. You need to have an expert in the loop and document what you’re doing, which we just talked about.

Ryan Costello
Very good. Thanks, everybody. We’re at the top of the hour. I want to thank everyone who joined the webcast today. Thank you for the great questions and some of that engagement. That was amazing. Really appreciate that. Thank you for your time and your interest in this and our educational series overall. We do have another webcast coming up on July 22nd, From Hype to Workflow: Insights from Experts on the Impact of AI on eDiscovery, that’ll be monitored by Phil Favreau. And that panel will discuss future advances in AI and how those innovations might affect eDiscovery in the years to come. So thank you all again. For more information, check out our website, haystackid.com. You can register for upcoming workshops and explore our library of educational resources. And again, appreciate everyone joining, and we hope you have a great rest of the week and a wonderful July 4th weekend next week. Go Team USA. Thanks, everybody.

Chris Wall
Bye.

---

Expert Panelists

---

About HaystackID®

HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface and eDiscovery AI™ technology. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.

Assisted by GAI and LLM technologies.

SOURCE: HaystackID