DSAR management
Cut DSAR response times from weeks to days
Manual DSARs drain resources and risk regulatory fines. Acompli automates the entire lifecycle — from public intake portal and identity verification through AI-powered redaction to secure delivery — with a complete audit trail at every step. One platform for GDPR, CCPA, LGPD, PIPEDA and POPIA.
Why teams manage DSARs in Acompli
Automate the busywork. Keep humans in control.
An 8-stage workflow pipeline handles every request from intake to completion. Your team focuses on review and judgement — not chasing spreadsheets.
Public request portal
Data subjects submit requests through branded, multi-step forms — with separate flows for customers, employees and contractors. File uploads, form validation and automatic reference number generation are built in.
Requesters can check status at any time using their reference number. Multi-language support ensures accessibility across jurisdictions.
Multi-method identity verification
Verify requesters through email OTP, SMS or voice call verification, document upload review and configurable security questions. Verification codes expire after 15 minutes with automatic lockout after 5 failed attempts.
Every verification step is logged with timestamps and responsible parties, building the audit trail regulators expect to see.
Smart deadline tracking
Automatic deadline calculation per regulation — 30 days for GDPR, 45 for CCPA, plus jurisdiction-specific rules for LGPD, PIPEDA and POPIA. Extension requests are tracked and documented when complexity demands it.
Reminders, escalations and manager alerts fire before you run out of time. Dashboard views show every open request by status, deadline proximity and owner.
Enterprise-grade redaction
Pixel-level redaction. Not just PDF masking.
Most tools overlay black boxes on PDFs — recoverable with the right software. Acompli permanently destroys PII at the pixel level, so redacted data is gone for good.
AI-powered detection
A hybrid detection pipeline combines local regex pattern matching with AI-powered PII recognition. OCR extracts text from scanned documents and images, then each detected element gets a confidence score so your team can prioritise review.
Human-in-the-loop review
Detected PII is flagged with confidence badges — but nothing is redacted until a human approves it. Staff review, accept or reject each detection before the redaction is permanently burned into the document.
Reusable redaction templates
Save and reuse redaction patterns for common scenarios — supplier-specific templates, standard bank statement layouts, or recurring document types. Consistency across your team without starting from scratch each time.
8-stage pipeline — automated end to end
Every step is guided, tracked and logged so your team stays consistent and your audit trail stays complete.
- Intake – requests are captured via the public portal, categorised by right type and regulation, and assigned to an owner. The deadline clock starts automatically.
- Verification – multi-method identity verification with email OTP, phone, document upload and security questions. Evidence is collected and timestamped.
- Collection – leverage your RoPA and data map to identify where personal data lives. Coordinate with data owners through in-platform tasks.
- Review – structured checklists flag third-party data, legal privilege and exemptions. Compliance checklists adapt to the applicable regulation.
- Redaction – AI-powered detection with human-in-the-loop approval. Pixel-level redaction permanently destroys PII in documents and images.
- Quality assurance – a dedicated QA stage ensures completeness, accuracy and compliance before the response leaves your organisation.
- Response – regulation-specific templates ensure consistent, professional communication. Send through the secure data subject portal.
- Complete – capture delivery confirmation, archive the full case file and close the audit trail. Completed requests move to archive with restore capability.
Custom workflow builder
The 8-stage pipeline works out of the box, but you can also build your own.
- Visual stage editor – create, reorder and configure stages with a drag-and-drop interface.
- Transition rules – define which stages can follow which, with mandatory completion criteria.
- Notification config – set up email alerts, in-app notifications and escalations per stage.
- Webhook support – trigger external systems when requests enter or leave specific stages.
- Publish & duplicate – publish workflows for your team, duplicate proven workflows and adapt them for new use cases.
Data subject experience
A portal your data subjects will actually use
Give data subjects visibility into their request without adding email overhead for your team.
Secure token-based access
Each data subject receives a unique portal link with a 30-day expiry. No account creation required — they click the link, verify their identity and see their request status, timeline and documents.
Two-way messaging
Threaded communication between data subjects and your team, all within the portal. No sensitive personal data passes through unencrypted email — every message is logged and attached to the request record.
Status timeline & document access
Data subjects see a visual progress tracker through your workflow stages and can securely download their processed, redacted data when the response is ready.
AI-powered analysis
Voice transcription and intelligent request analysis
Phone-based DSARs and complex requests are handled with the same rigour as written submissions.
Voice transcription
Record a phone-based DSAR and Acompli transcribes it with word-level timestamps. Support for 9+ languages including Irish Gaelic, with cross-language translation built in.
AI transcript analysis
Transcripts are automatically analysed for sentiment, intent classification, entity extraction and risk assessment. PII is detected in voice recordings just as it is in documents.
Auto-generated response drafts
AI generates draft response letters and identifies action items from transcripts — giving your team a head start on every phone-based request instead of starting from a blank page.
Analytics & reporting
Know exactly where you stand
Real-time dashboards and one-click reports give your DPO and leadership the visibility they need.
SLA compliance tracking
Gauge visualisations show your compliance percentage at a glance. Track average completion times, overdue request counts and response time distribution across your team.
Cost per request
Financial tracking shows the true cost of DSAR fulfilment — broken down by regulation, request type and team. Demonstrate ROI to leadership and identify where automation saves the most.
One-click reports
Generate compliance summaries, SLA performance reports, team workload breakdowns and regulation-specific analysis. Export to CSV or PDF, or print directly for board presentations.
Every data subject right. Every regulation.
Acompli handles the full spectrum of data subject rights across GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA and POPIA — not just access requests.
Access (GDPR Art. 15 / CCPA §1798.100)
The right to obtain confirmation of processing and a copy of personal data. Acompli coordinates data discovery using your RoPA and data map, then guides AI-powered redaction and review before secure disclosure.
Erasure (GDPR Art. 17 / CCPA §1798.105)
The "right to be forgotten" in qualifying circumstances. Guided workflows assess whether exemptions apply, document the decision and confirm deletion across relevant systems.
Rectification (GDPR Art. 16)
The right to have inaccurate data corrected. Acompli tracks what was changed, when and why — maintaining data integrity and a complete correction history for regulators.
Portability (GDPR Art. 20)
The right to receive data in a structured, machine-readable format. Export tools generate compliant data packages ready for secure delivery to the data subject or another controller.
Restriction (GDPR Art. 18)
The right to limit processing while disputes are resolved. Acompli flags restricted records and tracks restriction status until the matter is concluded.
Objection (GDPR Art. 21 / CCPA Opt-Out)
The right to object to processing based on legitimate interests or direct marketing, including CCPA "Do Not Sell" requests. Document your assessment, decision and response in one place.
Built into your compliance platform
DSAR management works best when it connects to the rest of your privacy programme.
- RoPA & data map integration – your Article 30 records show exactly where personal data lives, reducing time spent hunting across departments.
- Business group management – assign requests to organisational units, track workload per group and manage capacity across teams.
- Task management – create and assign tasks per request with status tracking and compliance checklists at every stage.
- Activity timeline – a chronological history of every action on every request, exportable for auditors on demand.
Enterprise-grade security
Personal data deserves serious protection at every step.
- Encrypted portal access – token-based with automatic expiry.
- Role-based access control – Admin, Staff and Viewer roles ensure people see only what they need.
- Input validation – schema validation on every form submission.
- Rate limiting – login attempt throttling and account lockout protection.
- Audit logging – every action recorded with timestamp, user and details.
Your brand, your portal
Customise everything your data subjects see
Make the request portal and communications look like they come from your organisation, not a third-party tool.
Portal branding
Upload your logo, set your brand colours and customise the welcome message and form instructions. A live preview shows exactly what data subjects will see before you publish.
Email configuration
Set your sender name, sender email and reply-to address. Toggle notification types on or off and preview every email template before it goes out.
Workflow defaults
Configure default deadline periods, auto-expiry for unverified requests and default workflow stages. Visualise your workflow configuration before deploying it to your team.
DSAR Management FAQs
What is a DSAR?
A Data Subject Access Request (DSAR) is a request from an individual to access the personal data an organisation holds about them. Under GDPR Article 15, data subjects have the right to obtain confirmation of whether their data is being processed, access to their personal data, and information about how it is used. The term "DSAR" is often used broadly to cover all data subject rights requests, including erasure, rectification and portability.
How long do we have to respond to a DSAR?
It depends on the regulation. GDPR requires a response within 30 calendar days, CCPA allows 45 days, and other regulations have their own deadlines. Extensions are available for complex cases — GDPR allows a further 60 days, and CCPA a further 45 — but you must notify the data subject within the initial window. Acompli calculates the correct deadline automatically based on the applicable regulation.
Can we charge for DSARs?
Generally, no. GDPR requires organisations to provide the first copy of personal data free of charge. However, you may charge a "reasonable fee" for additional copies, or for requests that are "manifestly unfounded or excessive" (particularly if repetitive). Any fee must be based on administrative costs. In practice, most DSARs must be handled at no cost to the data subject.
Do we need to verify the requester's identity?
Yes. Before disclosing personal data, you must have reasonable confidence that the requester is who they claim to be. The level of verification should be proportionate to the sensitivity of the data and the risk of disclosure to the wrong person. Acompli supports email OTP, phone verification (SMS and voice), document upload and configurable security questions — with automatic lockout protection after failed attempts.
What exemptions apply to DSARs?
Several exemptions may limit or modify your obligations. These include legal professional privilege, ongoing legal proceedings, regulatory investigations, and disclosures that would adversely affect the rights of others (such as revealing third-party personal data). The UK and Ireland also have specific exemptions for journalism, research and crime prevention. Exemptions must be applied case-by-case and documented carefully.
What regulations does Acompli support?
Acompli supports GDPR (EU), UK GDPR, CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada) and POPIA (South Africa) out of the box. Deadline calculation, template language, compliance checklists and workflow steps adjust based on the applicable regulation, so one platform handles multi-jurisdiction compliance. The custom workflow builder also lets you adapt processes for emerging regulations.
How does the redaction engine work?
Acompli uses a hybrid detection pipeline that combines local regex patterns with AI-powered PII recognition. OCR extracts text from scanned documents and images, then each detected element is flagged with a confidence score for human review. Once a team member approves the redactions, PII is permanently destroyed at the pixel level — not just masked with an overlay that could be removed. Reusable redaction templates speed up common document types.
Can data subjects track their own requests?
Yes. Every data subject receives a unique, token-based portal link where they can view their request status, see a visual timeline of progress through your workflow stages, exchange messages with your team and securely download their processed data when the response is ready. No account creation is required — portal links expire after 30 days.
Stop firefighting DSARs. Start managing them.
DSAR volumes are growing every year and regulators are watching. Acompli gives your team the automation, redaction engine and audit trail to handle every request confidently — no matter how many come in or which regulation applies.
DSAR management is included in every plan. See pricing to compare.