Manual DSR fulfillment has been unsustainable for a while, but 2025 was a turning point.
DataGrail’s 2026 Privacy & AI Trends Report found that Data subject request (DSR) volume rose for the fifth consecutive year, with deletion requests alone increasing 567% since 2021.
Based on Gartner’s estimated cost of manual DSR management and the average volume of DSRs in 2025, manual DSR management now costs a medium-sized organization upwards of $1.5 million annually.
For privacy teams still relying on spreadsheets and shared inboxes to manage data subject requests, 2025 was a clear signal: request volume is no longer predictable, and the impact is no longer relegated to specific industries or large businesses. This article takes a deeper dive into the five most significant findings in DataGrail’s recent research on DSR trends and takes a closer look at the implications for privacy teams moving forward.
1. Deletion requests are driving DSR demand
Consumers generally don’t care to browse the data your business has on them, they just want it gone. Deletion requests now make up the vast majority of all data subject requests submitted. Deletion requests are easy for consumers to submit, especially with the advent of new authorized agent tools, and data subject request volume as a whole has increased as a result.
Deletion requests have increased so significantly, keeping up isn’t just an efficiency goal anymore. Request volume this daunting can create gaps as team members skip past steps in order to clear their desks faster, and every mounting deletion request increases your business risk.
The Takeaway: Requests completed slowly, inconsistently, or incompletely expose organizations to exactly the kind of scrutiny that regulators and plaintiff attorneys are actively looking for. Data subject request software built for this volume isn’t a nice-to-have; it’s the only way to fulfill requests thoroughly when teams don’t have the headcount to handle them individually.
2. Access requests can be a hidden trap
Deletion requests make up the bulk of request volume, but that doesn’t mean they’re the most time-consuming step in DSR management. Don’t underestimate the data subject access requests (DSARs) in your queue.
Access requests are categorically more resource-intensive to fulfill than deletion requests. Rather than removing a record, a DSAR requires locating, compiling, reviewing, and returning data, while carefully redacting information about third parties. States like Minnesota introduced new requirements in 2025 that added even more complexity: companies must now confirm the existence of sensitive data but redact it before returning an access response.
While access requests have gradually decreased on average, this pattern isn’t consistent for all industries. B2B industries specifically are hit harder by DSARs. 
Professional services companies receive 4.6 times more data subject access requests (DSARs) than the average company per year. Increase in DSAR volume contributed to total data subject request volume increasing 80% for professional services and 50% for B2B technology companies in 2025.
The stakes of identity verification are also higher for access requests. As DSAR volume increases, so does the risk of releasing data to someone who isn’t the actual data subject. DSAR identity verification software must prevent even small data breaches at scale.
The Takeaway: Even a modest DSAR backlog is more operationally painful than a larger number of pure deletion requests. If your data subject request software was built around deletion workflows, it may not be equipped for the specific complexity of access request fulfillment, especially as state-specific requirements continue to add steps to the process.
3. The DSR volume increase isn’t limited to certain industries
B2B businesses aren’t the only ones closing an unexpected gap. Industries with clear connections to sensitive data such as health and location-based businesses have been perennial fixtures at the top of the charts. 2025 showed us that any industry can enter the spotlight and see an increase in DSRs to match. 
Several industries that barely registered in previous years broke into the top five. The pattern is consistent across all of them: regulatory action or public controversy correlates directly with request volume.
Jobs and Professional Development climbed sharply as public anxiety around AI-driven hiring decisions grew louder. Consumers increasingly understand that their employment history, skills profiles, and application activity are being used to make consequential decisions about their careers. When that understanding spreads, deletion request volume follows.
Financial Services reflected the most direct regulatory trigger: New Jersey’s 2025 data protection law was the first state legislation to explicitly classify financial data as sensitive, putting consumers and businesses alike on notice.
Consumer Tech absorbed the pressure of EU Data Act scrutiny on connected devices. Gambling absorbed the fallout from high-profile data breaches and a UK High Court ruling that questioned whether a gambling addict could meaningfully consent to tracking cookies.
The Takeaway: Privacy teams in industries that feel “low risk” today should watch the regulatory calendar and news cycle as leading indicators of what their request queue will look like in six months. Even if you keep your own privacy posture perfectly buttoned up, a news event for a competitor could result in a sudden increase in DSR volume you have to be ready to handle.
4. Data brokers are at the frontlines
Data brokers have always taken the most heat on DSRs. DataGrail’s annual trends report excludes data brokers from all top-level reporting to avoid majorly skewing the data. But the volume increase brokers experienced in 2025 deserved its own analysis.
Data brokers saw the largest deletion request increases of any category, up 398% in 2025. The average registered data broker handled over 2,000 deletion requests and 900 opt-out requests per month before the California Delete Act even went into effect. The Delete Act requires data brokers to register with the California Privacy Protection Agency (CalPrivacy) and begin processing requests submitted to the centralized Delete Request and Opt Out Platform effective August 1, 2026. The deadline hasn’t even struck and hundreds of thousands of consumers have already submitted requests.
What makes this especially significant beyond registered brokers: under the CCPA’s broad definition of selling or sharing data, far more organizations qualify as data brokers than the 575+ currently registered with CalPrivacy. Unregistered brokers face a mountain of fines. Over 11 companies have been fined so far, and CalPrivacy warns that registration enforcement is a major priority for the year ahead. For less traditional data brokers that still meet the CCPA definition, this may be the first year they face a request volume so astronomical.
The Takeaway: If your organization has any reasonable question about whether it qualifies as a data broker under California law, that question needs an immediate answer, and you should begin preparing your DSR operations to scale now. DSR management software that wasn’t built with data broker compliance in mind may not be equipped for DROP-specific requirements.
5. The cost of compliance continues to climb
The Gartner data behind DataGrail’s $1.5M cost estimate puts the numbers in concrete terms: a single access or deletion request costs a medium-sized business receiving 5 million monthly unique web visitors approximately $1,524 to complete manually. A company at that traffic level receives roughly 984 access and deletion requests per year. The math adds up fast, and that’s before accounting for volume spikes.
The $1.5M manual processing cost is a median figure, not a worst case. Industries experiencing volume surges, which we’ll cover below, are paying significantly more. If your DSR fulfillment software was sized for your current volume, model what happens when volume doubles.
What these insights mean for your DSR program in 2026
A few priorities stand out from DataGrail’s 2025 data.
Pressure-test your capacity assumptions. If your DSR management software was sized for your current request volume, model what happens when your industry becomes the next one to draw regulatory attention. Don’t wait for the surge to find out.
Review your access request workflow separately from your deletion workflow. The two require different data handling, different review steps, and different verification processes. If your DSAR fulfillment software requires you treat them identically, that’s worth closing now.
Assess your data broker status if there’s any ambiguity. The Delete Act enforcement is real, the fines are already accumulating, and the DROP request volume waiting for August is significant.
Watch your industry’s peer group. Revisit your benchmarks and don’t assume last year’s volume represents next year’s baseline.
The case for DSR automation software
A team that manually processes DSR fulfillment can manage a predictable queue. It cannot absorb a sudden increase in request volume without breaking something. As privacy concerns become more industry agnostic and average DSR volume continues to increase, these surges will become standard.
The right DSR automation software doesn’t just route requests. It connects to the systems where your data actually lives, automates identity verification, coordinates across business units, and maintains a defensible audit trail throughout. For organizations with complex data environments, DSR software that requires manual integration setup becomes a liability the moment your vendor stack changes or an acquisition introduces new systems into scope.
DataGrail is built on 2,500+ pre-built integrations, the largest integration network in data privacy. When a request comes in, DataGrail automatically routes and tracks fulfillment across connected systems without requiring your team to manually touch every data store. Vera, DataGrail’s complete privacy AI agent, optimizes your workflow to intelligently automate redundant processes according to your unique process needs without compromising on compliance. That’s the difference between DSR management software that scales and one that doesn’t.
