5 DSAR Trends Essential for Earning Trust

Data subject access requests (DSARs), or subject rights requests (SRRs), are evolving. 

Whether your organization is based out of the EU, the US, or elsewhere in the world, consumers’ awareness and expectations are forcing businesses to adapt how they manage SRRs. Keeping track of these trends will help you better meet consumer expectations, win trust, and stay on privacy regulators’ good side.

1. Privacy Incidents Are Forcing Consumers to Learn Their Rights

If you’re clued in to data privacy enough that you’ve come across this blog, then this trend won't be much of a surprise: Consumers are becoming more aware of their privacy rights. 

Data privacy isn’t being taught in schools, and the Ad Council hasn’t launched a nationwide campaign to promote data privacy awareness. But people are becoming aware of data privacy one way or another. 

Consider 23andMe’s bankruptcy filing. Instantly, former customers and regulators were ringing alarm bells: What would happen to all of that extremely sensitive data once the genetic testing company was sold? People rushed to submit subject rights requests, and attorneys general’s offices issued instructions on how to do so.  

2. The Commodification of Data Is Bringing SRRs to the Fore

The more blatantly personal data is commodified, the more data subjects are learning about their rights. 

Back in 2018, a Texan coffee shop made the news for providing customers with “free” coffee in exchange for their personal data, which was then sold to corporate sponsors. 

Professor Donna Wertalik discusses the commodification of consumer data in our recent virtual event, The Subjects Are Restless: Is 2025 the Year of Subject Rights? 

Back in 2018, the Texas Data Privacy and Security Act (TDPSA) had not yet been enacted, meaning those customers lacked the right to control the fate of their data once they handed it over for a macchiato. And the coffee shop was under no obligation to inform customers about what would happen to their data or what their non-existent rights were. 

It’s a different story today.  

If companies want to commodify consumer data, they need to provide notice, obtain consent, and inform consumers about their rights. Businesses' appetite for data isn’t going away—thus, the biggest drivers of increasing subject rights awareness are businesses themselves. 

Consider Meta’s “Pay or Okay” subscription model. In the EU, Facebook and Instagram users can either pay a subscription to access those social media platforms, or they can consent to sharing their data. The European Data Protection Board has ruled this practice is illegal under the GDPR, but it and other tactics will lay bare the equivalency between data and dollars (or euros in this case) in consumers’ eyes.   

This is reflected in EU data protection authorities’ reports, too. While EU-wide data on subject rights requests or Meta-specific SRR data isn’t available, we can look at the overall complaints issued to data protection authorities (DPAs). Ireland’s Data Protection Commission is a particularly active jurisdiction. In 2023—the most recent year for which data is available—the commission received 20% more complaints and queries compared to the previous year. That’s a pretty big jump, especially since privacy awareness is already more widespread in the EU compared to the US.

3. Awareness May Be Growing, But Understanding Still Lags—and That’s an Opportunity

You might look at the above and conclude that consumers are becoming savvier stewards of their personal data. Some certainly are. But the vast majority of consumers don’t understand their rights. They understand the impetus behind them. They want to tell businesses to:  

• Stop spying on them 

• To be transparent 

• Fix a mistake 

• Be respectful about who they share their information with 

Consumers may not know that what they’re really asking is to: 

• Opt out of data processing 

• Submit a summary request 

• Request the business to update inaccurate information 

• Opt out of the sale or sharing of personal information 

Cisco’s 2024 Data Privacy Benchmark study asked both businesses and consumers what organizations can do to build and maintain trust when it comes to consumer data. The most common response among consumers was for businesses to provide clear information on data use (at 37% of respondents), Businesses believed this was the only the third-most important action to take (at 21% of respondents). 

Pew Research also backs this up—67% of consumers have little to no idea what businesses do with the data collected about them. 

If businesses start writing privacy policies for consumers first rather than lawyers, make cookie banners informative and actionable, and avoid dark patterns that confuse rather than illuminate choice, they’ll win.  

It might empower consumers to make more SRRs, but so what? Surely, businesses would gladly pay the price of handling additional SRRs to secure customer trust.

4. Businesses Are Under-Estimating Intake

With rising consumer awareness and a hunger for transparency, it’s a little perplexing to see organizations treat SRR intake as a stodgy legal requirement, rather than an essential customer touchpoint. 

Along with notice and consent, SRRs are the face of your privacy program. They tell the outside world what you think about data privacy and—by extension—what you think about your customers’ rights. When working on your SRR program, optimizing SRR intake for clarity and compliance is a great place to start.  

Osano’s Senior Product Manager Chris Simpson talks about common misconceptions surrounding subject rights intake in our recent virtual event, The Subjects Are Restless: Is 2025 the Year of Subject Rights?

5. Businesses Are Beginning to Understand How to Automate SRR Management

Automating SRRs is essential—but the trick lies in knowing what to automate. 

It’s quite easy to automate yourself into non-compliance. Automated systems can serve up the wrong data in response to a request or miss data stored in unintegrated systems. Privacy solutions that boast of hundreds or thousands of integrations to support automated SRR execution often downplay the complexity of the implementation process or the maintenance requirements. It’s shockingly common for businesses to purchase privacy software subscription, only for that software to remain un-implemented a year on.  

Instead, businesses are finding more value automating subject rights management tasks and workflows. In a purely manual process, the workflow is where the most risk lies, such as: 

• Communicating with data subjects back and forth for information needed to fulfill a request 

• Collecting excessive information to fulfill a request 

• Waiting on system owners and vendors to respond to action items 

• Losing track of deadlines 

• Proliferating records in decentralized systems 

Pitfalls like these are where most businesses make mistakes and take up the most time. Finding, processing, and packaging the associated data matters too, and should be automated when possible. But if the end-to-end process isn’t automated first, then many of the underlying sources of risk in your subject rights workflow will remain. 

It can be pretty tough to visualize what this looks like in practice, especially if you haven’t managed an SRR process in the past. To help clarify what a low-risk, efficient process with smart automation looks like, we decided to lay out our approach. Check out our blog, How Osano Does DSARs, to learn more.