What are the steps to respond to a DSAR?

The key steps are: (1) acknowledge receipt, (2) verify the requester's identity, (3) locate all personal data across systems, (4) review and apply exemptions, (5) redact third-party personal data, (6) compile the response with required supplementary information, and (7) deliver securely within the deadline.

Do I need to redact third-party data in a DSAR response?

Yes. Article 15(4) of the GDPR states that the right of access must not adversely affect the rights of others. All third-party personal data must be redacted before disclosure, unless the third party has consented.

What documentation should I keep for DSAR compliance?

Maintain records of: the request date, identity verification steps, data sources searched, exemptions applied, redactions made, response date, and delivery method. This documentation provides a defensible audit trail for regulatory review.

Data Subject Access Request Software: How to Choose the Right Tool

DSAR volumes grew 72% between 2021 and 2024. Manual processing costs $1,524 per request. The right software can cut that by 80% — but "DSAR software" means very different things depending on what you need. This guide breaks the market into three categories and helps you choose.

Three categories of DSAR software

The DSAR tooling market has matured into three distinct categories. Most organisations need tools from at least two of them.

1. Full-platform DSAR automation

These platforms manage the entire DSAR lifecycle: intake forms, identity verification, data discovery across connected systems, workflow routing to data owners, response compilation, and secure delivery. Major players include OneTrust, DataGrail, Osano, Ketch, and Mandatly.

Best for: Enterprises processing 100+ DSARs per year across many data systems. Typical pricing: $30K–$500K/year depending on volume and integrations. Limitation: Most include basic redaction but rely on external tools for document-heavy redaction work. They discover and route data well but don't solve the redaction bottleneck.

2. Document redaction tools

These focus specifically on the redaction step — detecting and permanently removing PII from documents before they're included in a DSAR response. They plug into the DSAR workflow at step 5 (redact third-party data). Tools include SafeRedact, Redactable, Adobe Acrobat Pro, iDox.ai, and CaseGuard.

Best for: Any organisation that needs to redact documents as part of DSAR processing — which is nearly all of them. Typical pricing: Free tiers to $99/year (SafeRedact) up to enterprise licensing. Advantage: Purpose-built for the most time-consuming step in DSAR processing.

3. eDiscovery and legal platforms

Legal technology platforms that include redaction as part of broader document review capabilities. Exterro, Relativity, and Nuix fall into this category. They're designed for litigation support but their document processing capabilities translate well to DSAR workflows.

Best for: Legal teams handling litigation-adjacent DSARs or organisations already using these platforms. Typical pricing: Enterprise agreements, typically $50K+/year. Limitation: Overkill for organisations whose primary need is DSAR document redaction.

What to look for in DSAR software

For redaction-specific tools

AI-powered PII detection: Pattern matching catches SSNs and credit card numbers, but only AI reliably detects context-dependent PII like names and addresses. This matters enormously for DSAR redaction where you need to find every mention of third-party individuals across unstructured documents.

Selective redaction: DSAR redaction requires keeping the requester's data while removing everyone else's. Tools that only offer all-or-nothing redaction don't fit the DSAR use case.

Permanent redaction: The output must be truly redacted — no hidden text layers, no recoverable metadata. Verify that the tool produces pixel-burn or text-removal redaction, not visual overlays.

Data residency and processing: If you're uploading DSAR documents to a cloud service, you're creating a new data processing relationship. Under GDPR, this may require a Data Processing Agreement and impact assessment. Browser-based tools like SafeRedact that process locally eliminate this concern.

Audit trail: Every redaction decision should be logged for regulatory defence. Which documents were processed, what was redacted, when, and by whom.

For platform-level DSAR tools

System integrations: The tool should connect to your actual data sources — CRM, HRIS, email, cloud storage, databases. The more systems it can search automatically, the less manual work per request.

Workflow automation: Routing requests to data owners, tracking deadlines, sending reminders, and managing approvals. The administrative overhead of DSAR management is significant at scale.

Deadline management: With different deadlines across jurisdictions (30 days GDPR, 45 days CCPA, etc.), automatic deadline tracking and escalation prevents compliance failures.

Best DSAR solutions for reducing request turnaround time

The fastest way to cut DSAR turnaround time is to address the bottleneck, which is almost always the redaction step. Document review and redaction accounts for 40–60% of total DSAR processing time. An organisation spending 20 hours on a complex DSAR can cut that to 4–6 hours by automating PII detection and using selective redaction workflows.

SafeRedact processes each page in seconds. Upload a document, AI flags all PII instances with category labels, you approve which items to redact, and the permanently redacted file downloads immediately. For a 500-page employee DSAR, this reduces the redaction step from days to hours.

Best practices for tracking DSAR request status

Whether you use a dedicated DSAR platform or a simple spreadsheet, track these fields for every request: unique request ID, date received, requester identity and verification status, compliance deadline, systems searched and dates, exemptions applied with reasoning, redaction status, response delivery date and method, and any extensions granted with justification.

For organisations handling fewer than 20 DSARs per year, a structured spreadsheet with deadline alerts is sufficient. Above that volume, a dedicated DSAR management tool pays for itself in time savings and reduced compliance risk.

Where SafeRedact fits

SafeRedact is a document redaction tool — category 2 in the framework above. It solves the redaction bottleneck that exists in every DSAR workflow regardless of what other tools you use.

Browser-based processing means DSAR documents containing third-party PII never leave your device — eliminating the additional data processing liability that comes with uploading to cloud redaction services.

AI-powered detection using Anthropic's Claude with zero data retention catches context-dependent PII that pattern matching misses.

Selective redaction workflow is purpose-built for DSAR: identify all PII, then choose what to keep (requester's data) and what to remove (everyone else's).

Start redacting free — first document free, no signup →

Frequently asked questions

What is DSAR software?

DSAR software helps organisations manage and respond to Data Subject Access Requests. It ranges from full-platform automation tools (OneTrust, DataGrail) that handle the entire workflow, to document redaction tools (SafeRedact, Redactable) that specifically address the PII removal step.

How much does DSAR software cost?

Full-platform DSAR automation starts at $30K/year for mid-market and scales to $500K+ for enterprise. Document redaction tools range from free tiers to $99/year (SafeRedact) or per-document pricing (Redactable). The choice depends on your DSAR volume and existing infrastructure.

Can I handle DSARs without dedicated software?

For low volumes (under 10 per year), a structured manual process with spreadsheet tracking can work. However, the redaction step still requires proper tooling — attempting document redaction with basic PDF editors risks incomplete redaction and data breaches.

DSAR & Redaction Guides

DSAR: The Complete Guide What Is a DSAR? DSAR Redaction Guide DSAR Compliance Checklist Automate DSAR Redaction DSAR Redaction Cost → DSAR Software Comparison CCPA DSAR Guide US State Privacy Laws Subject Rights Requests DSAR Cost Calculator