Other Articles

Data Subject Access Request (DSAR) Management: End-to-End Workflow and Configuration Guide

Support > Privacy & Governance

25 March, 2026

Managing Data Subject Requests (DSR) is a critical requirement under modern data protection regulations such as GDPR and similar privacy laws. A structured DSAR management system ensures regulatory compliance, accountability, audit readiness, and secure handling of personal data rights.

This guide covers the following key areas of the DSAR module:

  • DSAR Dashboard Overview
  • Case Lifecycle and Status Management
  • Action Center and Evidence Logging
  • Creating a New DSAR
  • DSR Settings Configuration
  • Embedding the DSAR Web Form

  1. DSAR Dashboard Overview

    The DSAR dashboard provides centralized visibility of all data subject requests. It enables compliance teams to monitor deadlines, assign ownership, and track case progress.

    Key Fields in the Dashboard:

    • Identifier (Case ID): Unique reference (e.g., DSAR-0006)
    • Requester Name: Data subject name
    • Email: Contact email
    • Due By: Regulatory response deadline
    • Request Type: Access, Erasure, Correction
    • Status: Current processing stage

    Additional indicators may include:

    • Overdue alerts
    • Clock stopped status
    • Fulfilled and Closed
    • Legally denied
    • Verification failed

  2. DSAR Case Lifecycle

    Each DSAR follows a defined workflow to maintain compliance and documentation integrity.

    Identity Verification

    Before processing any request, the organization must confirm the data subject’s identity. This prevents unauthorized disclosure of personal data.

    Possible outcomes:

    • Identity Verified
    • Verification Failed

    If verification fails, the case can be closed with proper documentation.

    Discovery Phase

    Once identity is verified, the discovery process begins.

    This includes:

    • Searching internal systems
    • Reviewing data catalog records
    • Identifying linked business processes
    • Checking third-party processors

    Discovery ensures completeness and transparency in response.

    Fulfilled and Closed

    The request is completed within the regulatory deadline and formally closed.

    Legally Denied and Closed

    A request may be denied due to:

    • Legal retention obligations
    • Ongoing investigations
    • Contractual necessity
    • Regulatory exemptions

    Denial must be documented with justification for audit purposes.

    Overdue and Clock Management

    • Overdue indicates missed regulatory deadline.
    • Clock Stopped applies when additional clarification or verification is pending.

    Proper clock management ensures defensibility during regulatory audits.

  3. Inside a DSAR Case

    Clicking a case opens a detailed case management panel.

    Case Summary

    Displays:

    • Case ID
    • Request Type
    • Data Subject Name
    • Contact Email
    • Deadline
    • Assigned Owner

    Clear ownership ensures accountability.

    Action Center

    The Action Center highlights required actions.

    Example:

    Confirm the Data Subject’s identity using internal verification tools and upload evidence.

    Only the assigned case owner can update status, ensuring governance control.

    Audit & Evidence Log

    Every action is logged:

    • Submission timestamp
    • Status changes
    • Internal updates
    • Evidence uploads

    This creates a tamper-proof audit trail.

    Attachments

    Supporting documentation such as:

    • Identity proof
    • Screenshots
    • Email communication
    • Legal review documents

    Evidence strengthens compliance defensibility.

  4. Creating a New DSAR

    New requests can be submitted via web form or manually logged.

    Required Fields:

    • Requester Name
    • Contact Email
    • Type of Request (Access, Erasure, Correction)
    • Specific Details

    Upon submission:

    • Unique Case ID is generated
    • Fulfillment deadline is calculated
    • Case owner is assigned
    • Status begins at Identity Verification

  5. DSR Settings Configuration

    The DSR Settings module defines system-level configurations for managing incoming requests and embedding the DSAR form on the organization’s website.

    This section is critical for automation, assignment control, and deadline management.

    Key Configuration Fields

    Website Origin

    Defines the domain where the DSAR form will be embedded.

    Example:

    https://yourwebsite.com

    Why this matters:

    • Ensures domain validation
    • Prevents unauthorized embedding
    • Supports secure integration

    Security Role Assignment

    Defines which role will automatically be assigned as the case owner when a new DSAR is created.

    Example:

    Data Protection Officer

    This ensures:

    • Automatic ownership assignment
    • Clear accountability
    • Reduced manual intervention
    • Compliance alignment with governance structure

    Fulfillment Deadline

    Specifies the default number of days allowed to respond to a DSAR.

    Example:

    30 days

    This ensures:

    • Automated deadline calculation
    • Overdue alerts
    • Regulatory compliance tracking

    The deadline should align with applicable data protection laws.

  6. Embedding the DSAR Form on Website

    To enable external data subjects to submit requests directly, the DSAR form can be embedded on the organization’s website.

    This supports transparency and improves accessibility.

    Step 1: Add the Container Div

    Place the following container where the form should appear: 

    <div id="dsar-form-container"></div>

    This defines the display location of the DSAR form.

    Step 2: Add the Script Tag

    Add the provided script link inside the main HTML file: 

    <script
  src="https://form-embed.pages.dev/script.js"
  data-token="YOUR_TOKEN"
  data-settings-id="YOUR_SETTINGS_ID">
</script>

    Components Explained:

    • Script Source Link: Loads the DSAR form
    • Token: Authenticates the organization
    • Settings ID: Links the form to the configured DSR settings

    This ensures:

    • Secure form rendering
    • Automatic case creation
    • Owner assignment
    • Deadline calculation

  7. Governance and Compliance Benefits

    Integrating DSAR workflow with structured settings provides:

    • Automated case assignment
    • Secure identity verification workflow
    • Centralized audit trail
    • Deadline monitoring and alerts
    • Regulatory defensibility
    • Website integration for public transparency

    This transforms DSAR handling from a manual process into a controlled compliance workflow.

  8. Best Practices for DSAR Governance

    • Assign a dedicated Data Protection Officer role
    • Configure deadlines based on regulatory requirements
    • Maintain secure website embedding
    • Document all verification steps
    • Regularly review overdue cases
    • Conduct periodic internal audits of DSAR handling

Conclusion

A structured DSAR management system combined with configurable DSR Settings and secure web form embedding creates a robust privacy compliance framework.

By automating ownership, defining response deadlines, embedding transparent submission forms, and maintaining detailed audit logs, organizations demonstrate accountability and strengthen regulatory compliance.

Effective DSAR governance is not just a legal obligation. It reflects organizational maturity, operational transparency, and commitment to protecting individual privacy rights.

Read More

Consent Management in Kawach

Helps organizations maintain a transparent and auditable record of consent events.

Cookie Consent Management in Kawach

Enables organizations to configure cookie categories, display a consent banner, capture visitor decisions, and maintain detailed records of consent activity.

Data Asset Creation in kawach

Register and classify individual data elements to ensure proper ownership, compliance, and governance.