Data subject rights are no longer a narrow compliance workflow. In 2026, access, erasure/deletion, opt-out, correction and complaint handling have become operational pressure points for privacy, legal, governance, IT, security and customer operations teams.
The most reliable public evidence does not show a single global DSAR volume figure. Instead, the picture must be triangulated from regulator complaint datasets, coordinated enforcement actions, breach statistics, consumer-rights programmes and privacy governance research. Taken together, those sources point in one direction: individuals are exercising privacy rights more often, regulators are scrutinising the mechanics of request handling more closely, and organisations need defensible, well-documented workflows.
The clearest 2026 shift is that regulators are focusing not only on whether a right exists on paper but also on whether people can use it in practice. This includes response times, identity verification, redaction quality, explanations for refusals or partial disclosures, erasure in backups, retention logic, complaint escalation, and the ability to evidence every decision.
Download DSAR Statistics 2026 Report
Key findings
- Access remains the anchor right. The European Data Protection Board describes the right of access as one of the most frequently exercised rights under the GDPR. The Irish Data Protection Commission reports that subject access requests are the most common reason individuals contact it, typically because of non-response or dissatisfaction with an organisation’s reply.
- Erasure is moving into the enforcement spotlight. In 2026, the EDPB reported that 32 European DPAs participated in coordinated action on the right to erasure, covering 764 controllers. The action identified recurring issues, including weak internal procedures, inadequate explanations to individuals, inefficient anonymisation rather than deletion, retention-period difficulties, and the handling of backups.
- UK complaints are rising. The ICO recorded 42,315 data protection complaints in 2024/25, up from 39,721 in 2023/24 and 33,753 in 2022/23. The ICO also stated that Article 15 right-of-access complaints account for the majority of its data protection complaints work.
- The UK complaints regime has become more formal. From June 2026, organisations must provide a way to raise data protection complaints, acknowledge them within 30 days, investigate appropriately and communicate the outcome without undue delay.
- California is operationalising consumer deletion at scale. California’s 2025 annual privacy report says its consumer complaint portal has received more than 10,000 complaints since launch, with complaints up about 120% year over year. Its DROP system, launched for 2026, allows California residents to submit a single deletion request to all registered data brokers.
- Breaches continue to fuel awareness. The Identity Theft Resource Centre tracked 780 data compromises and just under 140 million victim notices in Q1 2026 alone. Breach notices regularly prompt individuals to ask what data is held, why it was retained, who received it and whether it can be deleted.
- AI is expanding privacy programmes before governance is fully mature. Cisco’s 2026 benchmark, based on more than 5,200 privacy-responsible professionals across 12 markets, found 90% of organisations say privacy programmes have expanded due to AI, while only 12% describe existing AI governance committees as mature and proactive.
Global DSAR and individual rights dashboard
The figures below are not directly comparable datasets. They are selected indicators from credible public sources that show demand, enforcement pressure and operational complexity across major privacy regimes.
| Metric | Latest figure | Source | Why it matters |
| UK complaints | 42,315 data protection complaints in 2024/25; 39,721 in 2023/24; 33,753 in 2022/23. | ICO | Shows sustained pressure on the UK regulator and a risk of a complaint-handling backlog. |
| UK right of access | Article 15 complaints account for the majority of the ICO’s data protection complaints work. | ICO | Confirms that access requests remain one of the most contested rights in practice. |
| EU access enforcement | 30 DPAs and 1,185 controllers in the 2024 coordinated action on the right of access. | EDPB | Shows cross-European scrutiny of access request procedures. |
| EU erasure enforcement | 32 DPAs and 764 controllers in the 2025 coordinated action, reported in 2026. | EDPB | Shows erasure/deletion is a current enforcement priority. |
| Ireland contact volumes | 32,152 total contacts; subject access requests were the most common reason for contact. | DPC | Indicates that access remains the leading source of public engagement with the Irish regulator. |
| Ireland case handling | 11,091 new cases processed; 10,510 resolved; 2,357 moved to formal complaint handling. | DPC | Shows the scale of case handling behind individual rights and privacy complaints. |
| Ireland breach notifications | 7,781 valid breach notifications in 2024, up 11%; 50% due to correspondence sent to the wrong recipient. | DPC | Highlights preventable process failures that can trigger rights requests and complaints. |
| California complaints | 10,000+ complaints since the portal launched; about 120% year-over-year increase. | CPPA | Shows growing consumer use of privacy complaint channels in the US. |
| California deletion | DROP enables a single deletion request to all registered data brokers; 500+ data brokers were registered in 2025. | CPPA | Signals a shift from one-company-at-a-time requests to scaled rights execution. |
| Australia privacy complaints | 3,295 privacy complaints received in 2024/25; 3,123 complaints finalised. | OAIC | Shows complaint volumes rising beyond Europe and North America. |
| Canada complaints | 3,044 PIPEDA complaints and 3,146 Privacy Act complaints in 2025/26. | OPC Canada | Shows significant growth in both private-sector and public-sector privacy complaints. |
| Canada time limits | Time-limit complaints under the Privacy Act increased by 121%. | OPC Canada | Reinforces that delayed responses are a major rights-management risk. |
| Privacy investment | 90% expanded privacy programmes due to AI; 43% increased privacy spending; 93% plan more resources. | Cisco | Privacy operations are becoming core infrastructure for AI and data governance. |
| US breach context | 780 data compromises and just under 140 million victim notices in Q1 2026. | ITRC | Breach exposure is a direct driver of public awareness and rights activity. |
Request volumes and regulatory pressure
The UK illustrates the pressure created when individual rights disputes become regulator complaints. ICO complaint volumes rose by 25.4% over the three years from 2022/23 to 2024/25. The ICO also reported that cases not completed at year-end rose from 9,168 in 2023/24 to 15,810 in 2024/25, and that it responded to 30% of complaints within 90 days in 2024/25 against an 80% KPI.
The lesson for organisations is straightforward: a weak internal rights process does not stay internal for long. Late responses, unclear redactions, inconsistent identity checks, or poor explanations are precisely the issues most likely to lead to complaints. In the UK, this is now reinforced by statutory complaint-handling obligations; in Europe, by coordinated supervisory action; and in California, by an increasingly centralised consumer-rights infrastructure.
Cost, complexity and operating-model implications
This revision intentionally avoids using cost benchmarks from privacy-rights management vendors. There is no single neutral, current and globally comparable 2026 per-request cost figure for DSARs. The better operating metric is process exposure: how many systems hold personal data, how reliably data is mapped, how quickly records can be searched, how consistently exemptions and redactions are applied, and how much human review remains necessary.
Access requests are costly because they require searching, reviewing, contextual judgment, and secure disclosure. Erasure requests can be more complex because the organisation must determine whether deletion is legally required, whether exceptions apply, whether data is held in backups or archives, whether deletion conflicts with retention duties, and how to record the outcome without retaining excessive request data.
Complaints add a second layer of cost. A DSAR response is not complete merely because data has been exported. It must be intelligible, sufficiently complete to satisfy the right, appropriately redacted, securely delivered, and supported by a record explaining the decisions. A poor response can create a regulator complaint, an internal grievance, a litigation disclosure issue or a reputational incident.
High-friction activities that drive DSAR cost
- Finding personal data across structured systems, collaboration tools, email, ticketing systems, HR platforms, CRM data and archived records.
- Separating the requester’s personal data from third-party personal data, confidential information, privileged material and trade secrets.
- Applying exemptions consistently and explaining them clearly enough to withstand regulatory scrutiny.
- Managing identity verification proportionately, without creating unnecessary barriers or collecting excessive additional data.
- Coordinating erasure across live systems, backups, processors, retention schedules and legal holds.
- Maintaining an audit trail that proves timeliness, decision logic, approvals, disclosures and secure delivery.
Technology, AI and governance
Technology is now essential to mature request handling, but automation without governance creates risk. The most defensible model is not to remove humans entirely from the process. It is to automate repetitive, evidence-based work while preserving human review for legal interpretation, edge cases, redactions, exemptions, identity verification disputes, and final approvals.
AI has sharpened this point. Cisco’s 2026 benchmark shows that privacy programmes are expanding as AI raises new questions about transparency, explainability, data use, contractual controls, governance committees, and customer trust. At the same time, the study found that only 12% of organisations describe existing AI governance committees as mature and proactive.
For DSAR and erasure workflows, AI-supported tools can help classify records, identify likely personal data, detect duplicate material, suggest redactions and route requests. However, AI outputs must be validated. A mistaken omission, over-redaction, a hallucinated explanation, or an unsupported exemption can undermine the entire response.
Minimum governance controls for AI-assisted request handling
- Document which parts of the request workflow use automation or AI, and which decisions remain under human control.
- Maintain a data inventory and retention schedule to support access, erasure, restriction, and complaint responses.
- Use human approval gates for disclosure packs, erasure refusals, redaction decisions and high-risk or vulnerable-person requests.
- Log prompts, outputs, review decisions, and quality checks for AI used in classification, search, or redaction.
- Assess vendors and processors for security, confidentiality, deletion support, audit logs and lawful transfer mechanisms.
- Test response quality periodically through internal audits, sample reviews and complaint trend analysis.
Practical implications for organisations
Move from mailbox-based handling to workflow control.
Shared inboxes and spreadsheets are fragile at 2026 complaint volumes. Organisations need intake triage, ownership, deadlines, identity verification, scoped searches, processor coordination, legal review, approval, delivery, and audit evidence within a single controlled workflow.
Treat access and erasure as connected rights.
The access response often determines whether an individual later asks for correction, restriction, objection or erasure. A clear access response can reduce downstream escalation; a poor response can multiply it.
Standardise explanations.
Regulators repeatedly highlight poor or insufficient explanations. Response templates should explain what was searched, what was disclosed, what was withheld, why redactions were applied and how the individual can complain or escalate.
Audit the hard parts.
The highest-risk areas are not usually the webform. They are backups, archived email, third-party systems, unstructured records, retention exceptions, employee data, identity verification and redaction logic.
Use complaint data as control testing.
Complaints should be categorised by root cause: late response, incomplete search, unclear exemption, poor redaction, failed deletion, excessive ID checks, inaccessible format or poor communications. This turns complaints into a privacy operations control dashboard.
Prepare for scaled deletion.
California’s DROP model demonstrates where the market is heading: individuals increasingly expect rights to be easy, centralised and repeatable. Organisations should assume deletion and opt-out requests will become more automated and more frequent.
About this research
This report consolidates publicly available information as of 9 July 2026. It prioritises primary regulatory and public authority sources, including the ICO, EDPB, DPC, CPPA, OAIC and OPC Canada. It also draws on cross-sector privacy/security research from Cisco and the Identity Theft Resource Centre, where the data is directly relevant to privacy programme investment, AI governance, and breach-driven awareness.
This report does not present a single global DSAR total. Instead, it presents a defensible set of indicators that show how rights activity, complaints, enforcement focus, breach awareness and privacy governance investment are developing across jurisdictions.
References
- European Data Protection Board, Coordinated Enforcement Action: implementation of the right of access by controllers, 20 January 2025.
- European Data Protection Board, Coordinated Enforcement Action: implementation of the right to erasure by controllers, 18 February 2026
- Information Commissioner’s Office, Data protection complaint handling approach impact assessment, January 2026.
- Information Commissioner’s Office, New data protection complaints law now in force, 23 June 2026.
- Information Commissioner’s Office, How to deal with data protection complaints.
- Information Commissioner’s Office, A guide to subject access.
- Data Protection Commission, Ireland, Annual Report 2024 key findings.
- Data Protection Commission, Ireland, 2024 Annual Report press release, 19 June 2025.
- California Privacy Protection Agency, 2025 Annual Report.
- California Attorney General, California Consumer Privacy Act.
- Office of the Australian Information Commissioner, Annual report 2024-25.
- Office of the Privacy Commissioner of Canada, 2025-2026 annual report news release, 4 June 2026.
- Cisco, 2026 Data and Privacy Benchmark Study.
- Identity Theft Resource Center, Q1 2026 Data Breach Analysis, 17 April 2026.
- Verizon, 2026 Data Breach Investigations Report.



