A Data Subject Access Request (DSAR) is a formal request made by an individual under GDPR Article 15, the UK Data Protection Act 2018, or equivalent legislation, asking for a copy of the personal data held about them. Organisations must respond within 30 calendar days, extendable by two months for complex requests.

hf_20260412_100022_22293f2a-ff26-4554-8717-000025c19fcd.png

DSAR Automation: From Weeks to Hours

Q: What file types can PrivacyManager process?

PrivacyManager processes emails, PDFs, Word documents, Excel spreadsheets, images via OCR, and most common enterprise document formats. It connects to on-premises file servers, cloud storage, HR platforms, and CRM systems.

Q: Can PrivacyManager help with other data subject rights?

Yes. While DSAR right of access is the most common request type, PrivacyManager's data discovery and redaction capabilities also support right to erasure, right to rectification, and data portability requests.

Data subject access requests are the most operationally expensive compliance obligation most organisations face. Each one triggers a cross-functional exercise involving IT, HR, legal, and compliance, searching multiple systems, reviewing every document for third-party personal data, applying exemptions, and assembling a defensible disclosure package, all within a 30-day statutory deadline.

Most organisations still do this manually. It takes 40–80 hours per request and costs £3,000–£5,000.

PrivacyManager™ by Contextul automates the entire process. Complex DSARs completed in under 48 hours.

Book a demo

Why DSARs Are Becoming

Unmanageable

The volume of data subject access requests in the UK and across regulated jurisdictions has increased sharply. The ICO received over 15,000 subject access complaints in its most recent reporting period, the majority caused by organisations failing to respond within the statutory deadline.

Three forces are driving this:

Regulatory awareness.

Data protection authorities have actively encouraged individuals to exercise their rights. Employees know they can submit DSARs before tribunal claims. Consumers know they can request everything a company holds about them. The days of DSARs being a rare event are over.

Data complexity.

The average enterprise holds personal data across dozens of systems: email, HR platforms, CRM, file servers, cloud storage, messaging apps, legacy databases. A single DSAR can require searches across all of them. The data is overwhelmingly unstructured, emails, PDFs, Word documents, scanned images, and often multilingual.

The redaction bottleneck.

Finding the data subject's records is only half the problem. Before disclosure, every document must be reviewed for third-party personal information, privileged content, and applicable exemptions. This manual review accounts for the majority of DSAR processing time and is where most deadline breaches originate.

The result: compliance teams are overwhelmed, deadlines are missed, and the per-request cost makes DSARs one of the most expensive recurring obligations in the enterprise.

How PrivacyManager™ Works

Automated Data Search

Connect PrivacyManager to your data landscape: email servers, HR systems, file servers, SharePoint, cloud storage, CRM, and legacy databases. When a request comes in, PrivacyManager searches across all connected sources and assembles the relevant records automatically.

AI-Powered PII Detection

PrivacyManager's Advanced Pattern Matching engine identifies personal information across every document type: emails, PDFs, Word documents, spreadsheets, scanned images (via OCR), and more. It recognises over 30 billion name combinations across 25 languages and 30 legal jurisdictions. Critically, it detects not just the data subject's information, but the third-party personal data that must be redacted before disclosure.

Automated Redaction

Third-party names, contact details, and identifying information are automatically flagged for redaction. Human reviewers confirm the recommendations and handle edge cases, exemptions, privilege, confidential references, through a guided workflow. What previously took days of manual page-by-page review is reduced to hours of focused exception handling.

Compliant Disclosure

The completed response package is assembled with a full audit trail: what was searched, what was found, what was redacted and why, and which exemptions were applied. Ready for secure delivery to the data subject and defensible in the event of a regulatory inquiry or ICO complaint.

See it in action

hf_20260412_102003_e71c08c7-7cb5-431f-9752-3c861018ff9c.png

DSARaaS: When You'd Rather Not Deal With DSARs At All

Not every organisation has the in-house resource, or the desire, to manage DSARs internally. DSARaaS (DSAR as a Service) is a fully managed service where Contextul's privacy specialists handle every phase of the DSAR lifecycle on your behalf:

The numbers:

95% reduction in manual effort per DSAR
94% reduction in processing cost (based on industry average of £4,800 per request)
Under 48 hours turnaround for complex DSARs -data size dependant
25+ languages supported natively
30 legal jurisdictions built in
30 billion+ name combinations in the detection engine

Receiving and validating the request
Confirming the data subject's identity
Coordinating with your designated contact to locate and retrieve relevant data
Screening, organising, and reviewing the gathered data
Obtaining third-party consent and applying redactions where necessary
Applying lawful exemptions
Formally disclosing the information to the data subject
Documenting the complete DSAR record
Liaising directly with the relevant regulatory authority if required

DSARaaS is available as an annual subscription for organisations needing year-round support, or in pre-paid blocks of hours for handling overflow, complex one-off requests, or peak periods.

This is not outsourced data processing with limited oversight. Our specialists work within your compliance framework, use your policies, and produce documentation that meets your governance standards. You retain full control; we provide the resource and expertise.

Get a quote

Who uses PrivacyManager™?

NHS trusts and public health bodies

processing high volumes of patient data access requests, often involving complex medical records across multiple clinical systems.

Financial services and insurance firms

where DSARs frequently involve sensitive financial, underwriting, and claims data across legacy and modern systems.

Law firms and legal departments

managing DSARs on behalf of clients, particularly in employment disputes, regulatory investigations, and data breach response.

Energy and utilities companies

like UK Power Networks, where large operational datasets and multiple business units create complex data landscapes.

"Working with Contextul has been an absolute pleasure. They supported us with GDPR elements and were incredibly knowledgeable and reassuring throughout the process. They made a potentially complex area feel manageable, and their professionalism and helpfulness gave us real confidence. I'd highly recommend Contextul to anyone looking for expertise and a great team to partner with."

Carys Stanton, Head of Operations, emc3

Frequently asked questions...

What is a DSAR?

A Data Subject Access Request (DSAR) is a formal request made by an individual, under GDPR Article 15, the UK Data Protection Act 2018, or equivalent legislation, to an organisation, asking for a copy of the personal data held about them. Organisations must respond within 30 calendar days, extendable by two months for complex requests with notice to the data subject.

How does PrivacyManager handle third-party data?

When a DSAR response includes documents containing other people's personal data, colleagues' names in emails, third-party contact details in correspondence, that information must be redacted before disclosure. PrivacyManager automatically identifies third-party personal information and flags it for redaction, with human review to handle ambiguous cases and legal exemptions.

What file types can PrivacyManager process?

PrivacyManager processes emails (Outlook, Exchange, Gmail), PDFs, Word documents, Excel spreadsheets, images (via OCR), and most common enterprise document formats. It connects to on-premises file servers, cloud storage (SharePoint, OneDrive, Google Drive), HR platforms, and CRM systems.

How does PrivacyManager handle exemptions?

UK GDPR and the Data Protection Act 2018 provide for various exemptions: legal privilege, management planning, confidential references, regulatory functions, and others. PrivacyManager's workflow guides reviewers through applicable exemptions for each document, with configurable rules based on the request type and jurisdiction.

What does DSARaaS cost?

DSARaaS pricing depends on request volume, complexity, and the scope of data systems involved. Annual subscriptions are typically structured as a fixed number of DSAR hours per year, with overflow billing for peak periods. Contact us for a quote based on your organisation's DSAR profile.

Can PrivacyManager help with other data subject rights?

Yes. While DSAR (right of access) is the most common and operationally intensive request type, PrivacyManager's data discovery and redaction capabilities also support right to erasure, right to rectification, and data portability requests.

How does PrivacyManager compare to OneTrust for DSARs?

OneTrust is a broad privacy management platform with DSAR capabilities as one module among many. PrivacyManager is a dedicated DSAR tool built specifically for the DSAR workflow, particularly the document review and redaction process that accounts for the majority of DSAR effort and cost. Organisations whose primary pain point is DSAR processing speed, cost, and compliance will typically find PrivacyManager delivers faster time-to-value and lower total cost.

The ICO doesn't care how hard DSARs are for your team. They care whether you responded within 30 days.

Book a demo