DSAR Software

DSAR software is the tool a privacy team uses to run a Data Subject Access Request from intake to archive — capturing the request, verifying identity, finding the data, redacting what cannot be disclosed and delivering the response, all on the one-month deadline the EU and UK GDPR set. The best DSAR software does more than queue tickets — it makes the search defensible and writes the audit trail as the work happens. That distinction — a governed case versus a thread of emails — is what separates a tool that looks tidy in a demo from one that holds up when a supervisory authority asks how a response was produced. This guide covers what DSAR software is, why responding is a legal obligation, how the workflow actually runs, and the criteria that matter when you choose one.

What is DSAR software?

DSAR software manages a Data Subject Access Request — also called a subject access request, a SAR, or simply a right-of-access request — through its whole lifecycle rather than as a single email thread. A shared inbox can hold the correspondence, but it has no idea whether identity was verified, which systems were searched, or what was redacted and why. DSAR software treats each request as a governed case: it carries the requester's identity evidence, the applicable regulation, the search across connected systems, the redaction decisions, the approval before release, and the delivery record — and it knows the state of each at any point against the statutory deadline.

That defensibility is the point. When the Data Protection Commission (DPC) in Ireland or the Information Commissioner's Office (ICO) in the UK looks at how a controller handled a request, the question is not “did you reply” but “can you show you verified the right person, searched everywhere the data lived, withheld only what you were entitled to withhold, and evidenced all of it.” Acompli treats a request as one workflow from intake to a closed, searchable archive, so the record a regulator inspects is built as a by-product of doing the work, not reconstructed from email afterwards.

Why do you need DSAR software?

Responding to a valid access request is not a customer-service courtesy — it is a legal obligation. Article 15 of the EU GDPR (applied in Ireland through the Data Protection Act 2018) and of the UK GDPR gives an individual the right to a copy of their personal data and prescribed information about its processing, and Article 12(3) requires the response within one month, with a two-month extension only for genuinely complex or numerous requests and only if the requester is told within the first month. Both regulators treat access requests as a high-volume, high-scrutiny source of complaints.

But the deadline is the visible risk, not the largest one. Releasing one person's data to another is itself a breach a regulator can act on; a response that misses records held in a system nobody thought to search is incomplete; and a controller that cannot evidence its process reads as weak accountability under Article 5(2). DSAR software exists to close those gaps — to hold the clock, make the search and the redaction defensible, and leave behind a record that answers the regulator's questions before they are asked.

How does DSAR software work?

The strongest DSAR software runs the request as one governed pipeline rather than a set of manual handoffs. In Acompli the lifecycle moves through clear stages:

• Intake & verification: a branded portal captures the request, the applicable regulation and identity evidence; duplicate detection runs; and verification clears before processing begins, so the trail shows the check happened before any data moved.
• Discovery: connected source systems are searched in parallel, with results validated and attached to the request rather than emailing teams one by one.
• Review & redaction: AI scans the collected documents and flags PII entities and candidate third-party data; a reviewer confirms, edits or rejects each finding before anything is finalised.
• Response & delivery: a draft response is prepared for human review, approved by a person, and delivered securely through the requester portal — never sent automatically.
• Archive: the closed request, with its full audit history and compliance metadata, moves to a searchable archive under configurable retention.

This is the honest meaning of “DSAR automation”: it reduces the chasing and the typing, not the accountability. The AI flags, classifies and drafts; a person approves every redaction and every release, and nothing leaves the platform without that approval. Throughout, a deadline clock tracks the Article 12(3) one-month period and records any two-month extension and its reason.

What should DSAR software include?

Whatever the vendor, score a tool against the work a request actually demands and what a supervisory-authority inspection tests — not how slick the queue looks. The criteria that matter:

• Portal intake with recorded identity verification — the request and identity evidence captured against the requester, with duplicate detection, before processing starts.
• Deadline tracking on the Article 12(3) clock — the one-month period from receipt, with two-month extension reasons recorded, and colour-coded urgency so nothing slips.
• Parallel search across real source systems — the places personal data actually lives, queried together, with results validated before they enter the response.
• AI-flagged PII with human-reviewed redaction — entities surfaced for a reviewer to confirm, edit or reject; never auto-released.
• Exemption handling — the means to withhold genuine third-party data and privileged material, with the reason category recorded against each redaction.
• An end-to-end audit trail and self-contained export — a closure record the DPC or ICO can read without a login to your platform.
• Jurisdiction breadth as a rigour signal — the ability to track EU GDPR and UK GDPR deadlines correctly on one workflow, alongside other regimes where relevant, is granularity a single-regime tool cannot claim.

For the underlying legal detail behind these criteria — deadlines, fees, identity checks and exemptions in both jurisdictions — see the DSAR requirements guide for Ireland and the UK.

Key capabilities to expect

Who needs DSAR software?

Any organisation that holds personal data can receive an access request, and any controller that handles them at volume benefits from running them as governed cases rather than email. High-volume receivers — banks, insurers, employers, healthcare providers, retailers and the public sector — feel it first, but the obligation falls on every controller because a request can arrive verbally, to any part of the organisation, without ever using the words “subject access request.” Irish and UK public bodies have a particular case: they can run Article 15 access requests and Freedom of Information requests on one workflow, keeping each regime's legal tests distinct. See the Acompli DSAR Management module for how the workflow runs in the product, and the DSAR requirements guide for Ireland and the UK for the legal detail. Acompli DSAR Management is a standalone product.

Common questions about DSAR software

Primary sources

1. GDPR Article 15 (EUR-Lex, Regulation (EU) 2016/679)
2. DPC — The Right of Access
3. ICO — A guide to the right of access (subject access)

Related research