Handling data subject access requests with AI triage

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-legal-AI-and-data-subject-access-request-adults

1. In a DSAR response workflow, which task is most appropriate for AI to perform?

   1. Validating that all relevant systems were searched
   2. Generating search-term packages for each DSAR scope element
   3. Determining which legal exemptions apply to responsive documents
   4. Deciding whether to release third-party personal data

2. A privacy professional asks the AI to identify all documents containing 'John Smith' and summarize whether each is responsive to the DSAR. Why is counsel still required before releasing the results?

   1. The AI lacks authority to access document repositories
   2. Counsel must verify the data subject submitted a valid identity proof
   3. Releasing third-party data in a DSAR response can itself violate privacy laws
   4. AI-generated summaries are inadmissible as legal evidence

3. Which of the following is an example of AI appropriately supporting a DSAR response?

   1. Deciding that third-party commercial secrets outweigh the data subject's access right
   2. Drafting an initial acknowledgment letter with statutory deadline disclosures
   3. Approving the final response package for release
   4. Determining that legal privilege protects certain responsive documents

4. What distinguishes the scope of a DSAR from the search conducted to fulfill it?

   1. Scope defines what data the data subject is entitled to receive; the search identifies where that data resides
   2. Scope and search are identical concepts in DSAR processing
   3. Scope is determined by AI; search is determined by counsel
   4. Scope applies only to written requests; search applies to verbal requests

5. Why must privacy counsel be involved in scoping a DSAR rather than relying solely on AI?

   1. Counsel is required to operate the AI system
   2. AI cannot interpret jurisdictional rules governing the data subject's rights
   3. AI requires legal training to process any document
   4. DSAR scoping is purely a technical task

6. A company receives a DSAR and uses AI to identify responsive documents. What remaining validation step is essential before release?

   1. Extending the statutory response deadline
   2. Confirming that all relevant systems were searched
   3. Requesting additional identity verification from the data subject
   4. Running the AI summaries through a second AI system

7. What risk does the lesson identify if AI alone determines what to release in a DSAR response?

   1. Potential privacy violations from releasing third-party personal data
   2. Inadvertent disclosure of attorney-client privileged communications
   3. Loss of the company's trade secrets
   4. Automatic compliance with all applicable exemptions

8. What does a data inventory provide when preparing to process a DSAR?

   1. A compilation of all legal exemptions that apply to the request
   2. A list of all employees who have accessed the data subject's information
   3. A record of prior DSAR responses for similar requests
   4. A catalog of where personal data is stored across the organization's systems

9. Which task listed is specifically noted as something AI does WELL in DSAR processing?

   1. Summarizing candidate documents into responsive versus non-responsive piles
   2. Approving the final response for legal sufficiency
   3. Balancing the data subject's access right against third-party privacy
   4. Determining that attorney-client privilege applies to a document

10. Why is tracking statutory deadlines against the clock important in DSAR processing?

    1. AI systems require advance warning to initiate processing
    2. Regulations impose strict time limits for DSAR responses, and missed deadlines can trigger enforcement action
    3. Data subjects can extend deadlines by requesting them
    4. Deadlines are merely advisory best practices

11. An AI system classifies a document as 'non-responsive' to a DSAR. What should happen before accepting this classification?

    1. Human review to ensure the AI did not miss relevance that requires legal judgment
    2. Automatic acceptance since AI classification is reliable for responsiveness
    3. Forwarding the document to the data subject for their input
    4. Deleting the document to avoid any potential disclosure

12. What type of information should be included in a DSAR acknowledgment letter drafted by AI?

    1. Required statutory disclosures and the response deadline
    2. A detailed list of all exemptions that will be claimed
    3. A commitment to release all documents without redaction
    4. An invitation to modify the scope of the request

13. When might AI-generated search terms be insufficient for a thorough DSAR search?

    1. When the request is particularly simple and narrow
    2. When the data inventory is outdated or incomplete
    3. When the data subject requests a faster response
    4. When the organization uses only cloud-based systems

14. In exemption analysis for DSARs, why is human legal judgment required rather than AI?

    1. Exemptions require interpreting how legal standards apply to specific facts and contexts
    2. AI cannot identify which documents contain personal data
    3. Exemptions must be approved by the data subject before being applied
    4. AI systems are prohibited from accessing exempt documents

15. A privacy team wants to fully automate DSAR responses using AI. Based on the lesson, what is the fundamental barrier?

    1. AI cannot identify personal data within documents
    2. AI systems are too expensive for routine DSAR processing
    3. Regulations require a human signature on all DSAR responses
    4. AI cannot make the final release decision, which requires human judgment about legal compliance