What Are Weaponised SARs? Key Insights from 180 Data Protection Professionals

On Friday 10 April, the Data Protection Made Easy podcast hosted a live discussion on one of the fastest-growing challenges in information rights, weaponised Subject Access Requests, often referred to as weaponised SARs.

Led by Catarina Santos and Caine Glancy, the session attracted 180 live participants, with a highly active chat and more questions than could be answered in a single session.

This signals a clear shift. Weaponised SARs are no longer a niche issue. They are a growing operational challenge affecting organisations across housing, healthcare, local authorities and the private sector.

Subject Access Requests are increasingly being used strategically. Rather than purely supporting transparency, they are now being submitted alongside complaints, grievances, legal disputes and disrepair claims.

This does not remove the legal right of access. It does mean organisations must work harder to define scope, manage intent and respond in a way that is both compliant and proportionate.

If your organisation is already dealing with increasingly complex requests, our SAR Support Service helps teams manage Subject Access Requests efficiently and with confidence. Many organisations also benefit from wider governance support through our Data Protection Support Service and Outsourced DPO service.

Why are weaponised SARs rising?

During the session, Catarina highlighted that this trend is becoming more frequent and more disruptive.

As she explained, “Unfortunately, it’s becoming more regular and is definitely something that organisations are seeing on a very regular basis.”

The core issue is a tension between legal rights and strategic use. Individuals have a right to access their personal data, but some requests are clearly being used to apply pressure or gain leverage.

Caine reinforced this by highlighting a common pattern seen across organisations: “They only ask if they think there is a smoking gun.”

This reflects a wider shift. Many SARs are no longer exploratory, they are targeted, often driven by disputes or a belief that key evidence exists within organisational records.

The role of AI in weaponised Subject Access Requests

Artificial intelligence is accelerating this trend.

Catarina explained how AI tools are shaping behaviour: “They are relying a lot on ChatGPT and other AI platforms… SARs are something that you should always submit.”

Caine added: “Practically everybody within the meeting today has probably received a request that looks like it’s come from an AI platform.”

This creates a new challenge. Requests now often appear legally confident, broad in scope and poorly understood by the requester.

As a result, organisations are dealing not only with the initial request, but also repeated AI-generated follow-ups and challenges.

A member of the community commented, “We are seeing data subjects use AI more and more to contradict our responses. It’s becoming a real issue.”

This is one reason why having a practical SAR process matters more than ever. A clear workflow, strong template letters and the right internal escalation points can reduce risk and improve consistency. For organisations that need extra support, our SAR Support Service is designed to help with scoping, review, redaction and response management.

Real challenges shared by the data protection community

The live chat reinforced just how widespread this issue has become.

A member of the community commented, “Weaponised suits our situation. Customers will send us a SAR to delay actions or find us in the wrong.”

Another added, “Most of our requests ‘scream’ ChatGPT now.”

Another highlighted the operational frustration, commenting, “We spend so much time responding, just for it to be put back through AI and asked again in a different way.”

A recurring theme was expectation versus reality. Many requesters expect full disclosure of documents, while organisations must apply the law correctly and proportionately.

Solicitors, tone and pressure tactics in SARs

Another key discussion point was the role of solicitors and representatives.

Catarina noted that tone is often used strategically: “The tone is definitely to create fear among the people managing these requests.”

This is often combined with misunderstandings about the scope of a SAR.

A member of the community commented, “The lawyers advising them are oblivious of the fact that documents do not form part of a DSAR response.”

Another added, “Just because they ask for something, data protection still applies.”

This highlights a critical point for organisations. A SAR is a right to personal data, not a blanket right to all documents, emails or internal records.

That distinction sits at the heart of good SAR handling. It also links closely with broader compliance and governance practice, which is where services such as our Data Protection Support Service and Outsourced DPO service can help organisations build stronger foundations.

Why clarifying a SAR request is essential

One of the most important takeaways from the session was the need to clarify scope early.

Catarina advised: “Don’t be scared to clarify the request.”

Broad requests such as “all my personal data” can quickly become disproportionate if not narrowed.

She also reinforced a key legal distinction: “The right is to personal data, nothing more, nothing less.”

Clarification helps reduce unnecessary workload, focus on relevant data, improve response accuracy and manage expectations early.

A member of the community commented, “Provide everything you have on me is exhausting.”

The growing pressure on data protection teams

The discussion also highlighted the strain on internal teams.

Caine explained: “A lot of people do SARs individually… that might not be feasible anymore.”

This was strongly reflected in the chat.

A member of the community commented, “I’m just one person.”

Another added, “I have a team of 11 and it’s still not enough.”

Another said, “Many of ours are overdue as we are overwhelmed.”

This demonstrates a clear gap between legal expectations and operational reality.

Where internal resource is stretched, it often makes sense to bring in specialist support for complex or high-volume cases. Our SAR Support Service is built for exactly this, helping organisations reduce pressure on internal teams while maintaining a defensible and structured response process.

ICO guidance, challenges and uncertainty

The session also explored frustrations around regulatory guidance.

Caine said: “What would really help is more detailed guidance.”

Catarina added: “It’s too broad… it’s hard to define what it means in practice.”

The community echoed this.

A member of the community commented, “I wish the ICO would issue clear guidance from experiences like this.”

Another said, “It’s hard to know whether the ICO has received a complaint or not.”

This lack of clarity leaves organisations making difficult judgement calls without consistent, practical support.

How organisations should respond to weaponised SARs

While there is no single solution, several practical steps emerged from the discussion.

Organisations should build a practical SAR process that reflects real workflows, use clear templates for acknowledgements, clarifications and responses, clarify scope early to avoid unnecessary work, document decisions and search methodologies, and apply the law confidently and proportionately.

Caine summarised this well: “You’ve got to not be afraid to push back when things are getting too far.”

In practice, that often means having the right mix of process, confidence and support. Our SAR Support Service helps organisations manage difficult requests from initial scoping through to final response, while our Data Protection Support Service and Outsourced DPO service support wider compliance, governance and decision-making.

Why this conversation is not over, part two is coming soon

With 180 attendees and a highly engaged discussion, it became clear that one session was not enough.

Several topics require deeper exploration, including repeat SAR requests, metadata requests, grievance-led SARs, solicitor authority, search methodology and proportionality.

As Caine confirmed: “We’ll be picking apart some of these requests and taking it into a second session.”

That feels exactly right. Weaponised SARs are not a passing frustration. They reflect a broader shift in how data rights are being used, challenged and operationalised.

For anyone working in data protection, compliance, information governance or complaints handling, this is a conversation that is only becoming more important.

Need support with complex or weaponised SARs?

Weaponised SARs are not a temporary trend. They reflect a broader shift in how data rights are being used.

If your organisation is experiencing increasing SAR volumes, more complex or strategic requests, or growing pressure on internal teams, now is the time to review your approach.

Explore our SAR Support Service to see how we help organisations manage Subject Access Requests efficiently, accurately and with confidence.

You may also find it useful to explore our wider Data Protection Support Service and Outsourced DPO service for ongoing compliance support.

---

Frequently asked questions about weaponised SARs

What is a weaponised SAR?

A weaponised SAR is a Subject Access Request that appears to be used strategically, often alongside a complaint, grievance or dispute, rather than simply to understand how personal data is being processed.

Are weaponised SARs still valid?

Yes. A requester may still have a valid right of access even where the wider context is contentious. Organisations still need to assess the request properly, define scope and respond lawfully.

Can AI increase the number of SARs?

Yes. AI tools can make it easier for people to generate broad, legally worded requests and follow-up challenges, which can increase both the volume and complexity of SAR handling.

Do SARs give people the right to all documents?

No. A SAR is a right to personal data, not a blanket right to every document, email or report in which a person may appear.

Should organisations clarify broad SARs?

Yes. Clarifying a broad request can help narrow scope, reduce unnecessary work and ensure the response is more accurate and proportionate.

How can organisations manage complex SARs more effectively?

Organisations should use a practical SAR procedure, clear templates, documented search methods, confident decision-making and specialist support where internal capacity is limited.