With the GDPR and CCPA thoroughly entrenched, and more privacy and data protection laws in the pipeline, subject access requests (SARs) are not going away. And without a common approach to handling SARs, some companies are adopting bad DSAR practices. Two major issues? Organisations collect too much data to respond to a SAR, and some claim not to have related data because they don't tie that data to common quasi-identifiers, like names. To help address these issues, the IAPP proposes the concept of "dynamic DSARs."