Data Subject Access Requests · GDPR Article 15

DSAR management software — structured intake, guided processing, auditable delivery

Receive, verify, scope, redact and deliver every data subject request inside its Article 12(3) deadline — with the audit trail already written by the time the response goes out.

Portal intake, identity verification, task assignment, encryption-aware delivery, SLA tracking and regulator-ready reports — one workflow from request to archive.

Acompli DSAR request screen showing request queue, request type breakdown and SLA status.
Intake
Identity
Scope
Search
Redact
Respond
DSARREQ-1427
One request recordEvery search, review and release decision stays with the case file.
Acompli DSAR Management Brochure — page 1
View brochure
The DSAR workflow

From intake to archive — one structured pipeline

Each stage adds governance. By the time a response is delivered, it carries its verification trail, redaction log, QA checklist, and compliance metadata — all preserved in a searchable archive.

01Intake & Verification

Public portal for structured submissions

A branded, public-facing portal lets data subjects submit access, erasure, rectification, and portability requests directly. Each submission captures requestor details, selects the applicable regulation, and generates a unique reference number.

Identity verification follows — document upload, email OTP, staff review — before processing begins.

Intake record. Processing guardrails.

Request

Channel, requester details, right invoked and unique reference.

Identity

Evidence upload, email OTP, duplicate checks and staff review.

Scope

Regulation, request type, entity and exclusions captured before work starts.

Deadline

Article 12(3) clock, extension reason and blockers stay on the case.

Owners

Tasks route to system owners with status, evidence and notes.

Audit file

Each decision, search, approval and message is retained for closure.

Regulations
GDPR
UK GDPR
CCPA
LGPD
PIPEDA
POPIA
Request types
AccessErasureRectificationPortability
Processing starts only after verification. The clock, scope and evidence trail stay tied to the same request record.

SLA control path

A DSAR is an operational control sequence

This visual makes the operational risk clear: intake, identity, scope, search, redaction, approval, delivery and archive each need evidence while the Article 12 clock is running.

Technical infographic showing DSAR intake, verification, scoping, search, review and delivery controls with evidence produced at each stage.

Discovery and redaction

The hard part is proving what was searched and withheld

This diagram focuses on the real DSAR complexity: assigning searches, collecting returns and non-hits, confirming PII, applying exemptions, QA and packaging the final disclosure.

Technical infographic showing DSAR discovery and redaction workflow, including system owner tasks, collection logs, PII findings, exemption decisions, QA and disclosure records.

Subject Rights Management

What is DSAR software?

DSAR software is a workflow tool for managing Data Subject Access Requests and other privacy rights requests. It helps teams capture the request, verify identity, assign tasks, track deadlines, review and redact information, deliver the response securely and keep an audit trail of the decision-making process.

Acompli is built for DSAR operations, not just legal interpretation. It gives teams visibility over the request lifecycle from intake to closure.

Article 15 answer

Is responding to a DSAR a legal requirement in Ireland and the UK?

Yes. A Data Subject Access Request (DSAR), or subject access request, is an individual’s right to obtain the personal data an organisation holds about them. Under GDPR Article 15 — enacted in Ireland through the Data Protection Act 2018 and enforced by the Data Protection Commission, and mirrored in UK GDPR Article 15 and the DPA 2018 enforced by the ICO — controllers must confirm whether they process the data, provide access to it, and supply the supporting information about the processing.

GDPR Article 12(3) requires a response without undue delay and within one month of receipt, with a possible two-month extension for complex or numerous requests if the individual is told within the first month.

What matters

A DSAR workflow has to prove the request was handled properly

Shared inboxes usually fail at the same point: the team can send a response, but cannot easily prove how the response was built. Acompli keeps the request lifecycle in one record from intake to delivery.

  • Intake and identity checks are recorded before processing begins.
  • Deadlines and extensions stay tied to the statutory clock.
  • Source-system searches show where the team looked and what was collected.
  • Redactions and exemptions are reviewed by a person before release.
  • Delivery and closure leave an audit trail a DPO can export.

DSAR FAQ

DSAR questions answered

Built to the DPC and ICO audit expectation: the GDPR Article 12(3) one-month clock, Schedule 2 DPA 2018 exemptions, Schrems II transfer records, Article 30 reconciliation, and a traceable Evidence Pack for every closed request.

DSAR software is the tool a privacy team uses to manage Data Subject Access Requests from intake to delivery. Acompli DSAR is a standalone product that runs the full lifecycle: portal intake, identity verification with duplicate detection, parallel search across source systems, AI-assisted redaction reviewed by a person, encryption-aware delivery through a secure requester portal, and SLA tracking against the GDPR Article 12(3) one-month clock the DPC and ICO enforce.

More DSAR operations questions

See DSAR management in action

Structured intake, guided processing, AI-assisted responses, and complete audit trails. DSAR is a separate Acompli product — run it on its own, or alongside the platform so requests connect to your assessments, risk register, and RoPA.