AI-Generated SARs, ICO Complaints and Social Media Bans, What This Means for Organisations

The data protection landscape rarely stands still, but recent developments suggest organisations may be facing new challenges from multiple directions.

In a recent episode of GDPR Radio, Caine Glancy and Catarina Pereira dos Santos explored several of the biggest stories currently impacting the profession, including the growing number of AI-generated Subject Access Requests (SARs), criticism of the ICO’s complaints handling processes, the resignation of Information Commissioner John Edwards, and the UK’s proposed social media restrictions for under-16s.

Whilst these issues may appear unrelated, they all raise important questions about accountability, regulation and how organisations can prepare for an increasingly complex compliance environment.

Organisations Are Seeing More Subject Access Requests

One of the first topics discussed was the significant increase in Subject Access Requests being experienced by some organisations, particularly within the housing sector.

Catarina explained that several clients have reported substantial increases in SAR volumes compared to the same period last year, with some organisations managing dozens of requests simultaneously.

Whilst organisations often look for common causes such as complaints or service issues, the discussion highlighted another potential factor, the growing use of artificial intelligence.

Is AI Driving The Rise In SARs?

The conversation explored how AI tools such as ChatGPT are making it easier than ever for individuals to draft and submit Subject Access Requests.

Catarina described conducting her own test using ChatGPT and discovering that many of the requests being received by one client closely mirrored the wording generated by the AI platform.

“Twenty-eight of them are literally coming from ChatGPT because it was a copy and paste of the one that I have seen in front of me.”

The discussion highlighted both the opportunities and challenges this creates. On one hand, AI can help individuals better understand and exercise their rights. On the other, organisations may find themselves dealing with increasing volumes of requests that are generated quickly and submitted with little effort.

When AI Creates A Compliance Challenge

The discussion also highlighted a less obvious issue.

According to Caine, organisations are increasingly finding themselves engaged in lengthy back-and-forth exchanges where AI-generated responses repeatedly challenge the organisation’s position.

Rather than helping resolve requests, AI can sometimes create what Caine described as a “hamster wheel” of ongoing correspondence. Organisations respond, AI generates a counterargument, and the cycle continues.

This creates an important challenge for organisations. Knowing when a SAR has been answered appropriately and when communication can reasonably come to an end is becoming increasingly important.

Questions Continue To Be Raised About ICO Complaint Handling

The conversation then turned to the Information Commissioner’s Office and recent criticism of its complaints framework.

The hosts discussed concerns raised by campaign groups regarding the ICO’s approach to lower-risk complaints and whether sufficient action is being taken when individuals exercise their data protection rights.

The discussion explored the difficult balance regulators face between prioritising resources and maintaining public confidence.

Catarina questioned whether data subject rights risk becoming theoretical if complaints are routinely stored for information purposes without further action.

“The regulators should be there to protect the rights and freedoms… but then they complain and they are used for informational purposes rather than actually helping the data subjects.”

What John Edwards’ Resignation Could Mean

The resignation of Information Commissioner John Edwards was another major topic.

Whilst the hosts acknowledged that the full circumstances remain a matter of public record, the discussion focused on what the change could mean for the future direction of the ICO.

Catarina suggested that the timing may provide an opportunity for the regulator to review its processes and priorities.

The broader question raised throughout the discussion was whether the ICO’s current approach remains fit for purpose in an environment where data protection concerns continue to grow in both volume and complexity.

The Social Media Ban Debate

The final major topic centred around the UK’s proposed social media restrictions for under-16s.

The proposal has been positioned as a measure to improve online safety and reduce the risks children face online. Catarina acknowledged the positive intentions behind the proposal, particularly given the ongoing concerns around children’s privacy, harmful content and the misuse of personal data.

However, the discussion also raised several practical concerns.

Is Responsibility Being Placed On The Right People?

A recurring theme throughout the discussion was accountability.

Rather than focusing solely on restricting access for younger users, both hosts questioned whether greater responsibility should be placed on the platforms themselves.

As Catarina explained, the conversation appears to focus heavily on controlling users whilst paying less attention to the role social media companies play in creating and maintaining online environments.

The discussion also raised questions around age verification, enforcement and whether restrictions alone can address the root causes of online harm.

The Challenge Of Balancing Safety And Freedom

The conversation concluded by recognising that online safety is rarely a straightforward issue.

Whilst protecting children remains an important objective, both hosts questioned whether blanket restrictions alone can solve the wider challenges associated with social media, harmful content and digital wellbeing.

As Caine noted, the underlying issue may not simply be access to social media, but the platforms themselves and the environments they create.

Looking Ahead

The episode highlighted several developments that organisations should continue monitoring closely.

The rise of AI-generated SARs is already creating operational challenges for some organisations. Questions around ICO enforcement and complaints handling continue to attract attention. Meanwhile, proposals around online safety and social media restrictions are likely to generate ongoing debate.

Whilst the outcomes remain uncertain, one thing is clear. Data protection professionals will need to remain adaptable as technology, regulation and public expectations continue to evolve.

Frequently Asked Questions

Are AI-generated Subject Access Requests valid?

Yes. A Subject Access Request can still be valid even if it has been created using an AI tool. Organisations should assess the request in the same way they would any other SAR.

Why are organisations seeing more SARs?

Increased awareness of data protection rights, the use of AI tools and wider public discussion around privacy may all be contributing to higher SAR volumes.

How should organisations deal with repeated AI-generated responses?

Organisations should follow their internal SAR procedure, document their decisions and ensure they have responded appropriately. Once a request has been handled properly, it is important to know when further correspondence is no longer necessary.

Does the ICO investigate every data protection complaint?

The ICO uses a risk-based approach when reviewing complaints. This means some complaints may be prioritised depending on factors such as risk, harm and wider public interest.

Why is the proposed social media ban for under-16s controversial?

Although the proposal aims to protect children online, concerns remain around age verification, enforcement, privacy and whether enough responsibility is being placed on social media platforms themselves.

How can organisations prepare for increasing SAR volumes?

Organisations can prepare by having clear SAR procedures, training staff, maintaining good records and seeking specialist data protection support where needed.

Need Support Managing Subject Access Requests?

Managing Subject Access Requests, responding to regulatory challenges and keeping up with changing data protection expectations can be difficult, particularly when organisations are facing increasing workloads and limited internal resource.

Our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations navigate complex compliance challenges with confidence.

Whether you need support managing SARs, reviewing governance processes or improving staff awareness, our team can help you make data protection easier to understand and easier to manage.