Responding to DSARs when personal data lives in photos
A DSAR just landed on your desk. The data subject wants to know every photo you hold of them. You have 30 days. Here is how to actually do it.
Photos are the hardest part of any DSAR
Text data is searchable. You can grep a database, search an email archive, query a CRM. But photos? Photos are opaque blobs. You cannot search inside them. You cannot ask your CMS "show me every photo containing this person."
So you end up doing the only thing you can: manually reviewing photos. Every folder. Every archive. Every page on every website. Every press kit, every event gallery, every marketing brochure.
For a medium-sized organization with 10,000 photos, that is weeks of work. And you still cannot be certain you found everything.
The 30-day clock
DSAR arrives. Verify identity, assess scope. Realize photos are in scope.
Manual search across systems. Check the website, shared drives, marketing folders, event archives.
Still searching. Ask colleagues. Check old backups. Wonder what you have missed.
Compile results. Add caveats about what you might have missed. Send a response you are not confident in.
Where photos hide in your organization
Most DPOs underestimate where personal photos exist. Here are the places you need to check — and the ones you will probably forget. (See our step-by-step face data audit guide for a detailed walkthrough.)
Corporate website
Team pages, about pages, blog posts, press releases, event recaps. Often dozens of pages with face photos.
Shared drives
SharePoint, Google Drive, Dropbox. Years of accumulated photos in nested folders no one maintains.
Marketing materials
Brochures, presentations, social media posts, ad campaigns. Often reused across channels.
Event galleries
Company events, conferences, holiday parties. Hundreds of photos per event, often untagged.
Internal systems
Intranet, HR system profile photos, training platforms, internal newsletters.
Archives and backups
Old website versions, archived project folders, email attachments. The stuff everyone forgets about.
Three scenarios you will recognize
Employee departure
A former employee exercises their right of access. They want to know every photo you still hold of them — and there are photos from five years of company events, team pages, and internal presentations.
The hard part
Their face appears in group photos. You cannot search for "photos with Lars in them." You have to open every photo, look at every face, across every system they ever interacted with.
With face recognition
Upload their portrait. Get every match across all sources in seconds. Complete, documented, audit-ready. Respond on day 1 instead of day 28.
Customer request
A customer asks you to confirm whether you hold any photos of them. They attended three of your events over two years and suspect photos were taken and published.
The hard part
Event galleries alone contain thousands of photos. You do not have a reliable way to match a face across events. Different photographers, different systems, different file structures.
With face recognition
All event galleries are indexed. Search by face and get a precise list of every appearance, with source location and context. No guessing.
Legal proceedings
A lawyer sends a formal DSAR on behalf of their client. The tone makes it clear that an incomplete response will lead to a complaint to the supervisory authority.
The hard part
The stakes are high. "We searched our main systems" is not a defensible answer. You need to prove you conducted a thorough search, and you need documentation to back it up.
With face recognition
Comprehensive search with a documented audit trail. Every source checked, every match recorded, export-ready for legal review. Defensible by design.
From 5-day search to 5-minute response
Ansikt indexes all your photo sources, detects every face, and lets you search by person. When a DSAR arrives, you have the answer already.
Index your sources
Connect your photo libraries, crawl your websites, upload your archives. Ansikt detects and indexes every face automatically.
Search by person
Upload a portrait or select a known person. Get every photo they appear in, across all sources, in seconds.
Export and respond
Export results with source locations, timestamps, and audit trail. Ready for the data subject or their legal representative.
See what a DSAR response looks like for your website
Our free scan crawls your website and shows you exactly how many face photos are publicly visible — the kind of inventory you would need to produce when responding to a DSAR. No signup required.