Press release

29 Mar 2023 London, GB

Global financial services firms expect GDPR-linked personal data requests to increase in 2023, but respondents report limited or no organizational understanding of non-compliance risks – EY Law Survey

London, 29 March 2023. Andrea Ward, Data Protection Partner, EY Law, comments: “Data protection is a priority topic for businesses, but it’s not one with an easy shortcut to successful compliance.

Related topics Financial Services EMEIA Law
  • Sixty percent of data protection and compliance leaders in financial services firms saw a spike in Data Subject Access Requests (DSARs) in 2022 and almost half (49%) expect a further rise in 2023.
    • Sixty-two percent believe that individuals’ awareness of their GDPR rights is the main reason for this increase in DSAR submissions. 
  • Respondents confirmed that more than half (51%) of DSARs received in 2022 came from customers, while almost a third (32%) came from employees, with requests triggered by HR issues including employment termination, unfair dismissal claims and organizational change.
  • Forty-two percent of respondents confirmed they have limited or no organizational understanding of DSAR non-compliance risks.
  • More than half (54%) of those surveyed say their firm has a dedicated DSAR team to handle requests, however, 46% are still processing DSARs manually.
  • More than half (51%) of respondents confirm they have received complaints from individuals who believe that they have not had a proper response to their DSAR 
  • A third (33%) of those surveyed confirmed they receive bulk DSARs, raising their suspicions that DSAR data is being used for profiling and monitoring by third parties including Claims Management Companies.

Andrea Ward, Data Protection Partner, EY Law, comments: “Data protection is a priority topic for businesses, but it’s not one with an easy shortcut to successful compliance. While it’s welcome to see individuals being empowered with greater control over how their personal data is being managed, it’s clear that businesses must ensure they are keeping up. Firms have more to do to ensure they fully understand their DSAR obligations and have the appropriate resources in place to meet growing demand for these requests, especially given the upward trend in Claims Management Companies submitting bulk requests. There is significant underuse of technology across financial services firms to supplement manual activities when processing data requests, which would enable compliance teams to process requests more efficiently and focus on higher-value activities. The onus is on businesses to implement a DSAR oversight process that can meet growing demand, especially given regulators are strict on those who fail to do so.”

Read the results from the 2023 EY Law DSARs survey here



About EY

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.