Compliance & Legal

How to handle a data subject access request (dsar) as Small Legal and Compliance Teams

Compliance & LegalFor Small Legal and Compliance Teams2 apps10 steps~20 min to set up

A DSAR lands in your Gmail at 4 PM on a Tuesday. You have 30 days — or 72 hours if it's a breach-adjacent request in a GDPR jurisdiction. You're already mid-redline on a vendor DPA. The request needs to be logged, acknowledged within a defined window, routed to engineering for database exports, routed to HR for employee records if it's a staff requester, and reconciled against what your privacy policy actually promises. You're doing this in a shared Google Doc, a Notion tracker that's three quarters stale, and a chain of Slack messages that will absolutely not hold up in a regulatory audit. OneTrust would solve this — it also costs $80K and assumes a dedicated privacy-ops person to run it.

Build this on Starch → See the apps used

Compliance & LegalFor Small Legal and Compliance Teams2 apps10 steps~20 min to set up

Outcome

What you'll set up

A structured DSAR intake log that auto-captures requests from Gmail, assigns a 30-day deadline, and tracks status (received → acknowledged → data gathered → reviewed → fulfilled) so nothing falls through the cracks during a busy contract week

An email triage surface that surfaces DSAR requests from the noise of your inbox, drafts the required acknowledgment email in your organization's voice, and sets a follow-up reminder if the requester doesn't confirm receipt

A task queue that breaks each DSAR into owner-assigned subtasks — engineering export, HR check, legal review, redaction, fulfillment — with P1 priority flags and due-date alerts so the 30-day clock is always visible

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Task Manager

Data sources & config

Starch syncs your Gmail data on a schedule so the email triage app monitors your inbox continuously for DSAR-pattern requests. The Task Manager app is built natively in Starch with no external connection required. If your team tracks contracts or policies in Notion, connect Notion from Starch's integration catalog so the agent can query your existing privacy policy and data-map documentation live when building a DSAR response. If you use Slack for cross-functional coordination with engineering and HR, connect Slack from Starch's integration catalog so the agent can post subtask assignments directly to the right channel.

Prompts to copy

Monitor my Gmail for any email containing 'data subject access request', 'right to access', 'DSAR', or 'GDPR request'. When one arrives, create a new DSAR record with the requester's name, email, date received, and a 30-day response deadline. Draft an acknowledgment reply in a professional legal tone confirming we received their request and will respond within 30 days. Flag the email as P1 and remind me daily until acknowledged.

Build me a DSAR task tracker. Each DSAR should have subtasks: (1) send acknowledgment, (2) request data export from engineering, (3) check HR systems for employee data, (4) legal review and redaction, (5) send fulfillment package. Each subtask needs an owner field, a due date, and a status. Alert me if any subtask is overdue. Show me a kanban view of all open DSARs by stage.

Every Friday at 9 AM, send me a summary of all open DSARs: how many are open, which ones have response deadlines within 10 days, which subtasks are overdue, and which are waiting on engineering or HR.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Gmail to Starch (Starch syncs your Gmail data on a schedule). If your team uses Outlook, connect that instead — same capability.

2 Open the Email Triage app and give Starch the prompt: monitor for DSAR-pattern emails, create a structured intake record for each one, and draft the required acknowledgment reply.

3 Configure the acknowledgment draft template — paste in your jurisdiction-specific language (e.g., 'We have received your request under Article 15 GDPR and will respond within 30 days'). Starch uses this as the base for every draft.

4 Set up the Task Manager app with a DSAR project template: five standard subtasks per request (acknowledge, gather engineering data, gather HR data, legal review and redaction, send fulfillment), each with an owner field and a due date calculated from the intake date.

5 Wire a 30-day countdown alert: tell Starch 'if any open DSAR has fewer than 10 days remaining on its deadline, send me an email and post a Slack message to #legal-alerts.' Connect Slack from Starch's integration catalog for the Slack step.

6 If your data map or privacy policy lives in Notion, connect Notion from Starch's integration catalog. Add a prompt step: 'When a new DSAR arrives, pull the relevant data-retention and data-category entries from our Notion data map so I know which systems to query.'

7 For the engineering data-export subtask, Starch drafts a pre-filled request email to your engineering DRI that includes the requester's identifier, the systems listed in your Notion data map, and the internal deadline (typically 21 days to leave room for legal review). You review and send with one click.

8 When engineering returns the export, mark that subtask complete in the Task Manager. Starch surfaces the next pending task — legal review — and flags any PII in the export that requires redaction before fulfillment.

9 Once redaction is complete, Starch pulls the requester's original email thread from Gmail, drafts the fulfillment letter, and attaches instructions for how to send the data package securely.

10 Mark the DSAR fulfilled. Starch logs the closed date, total days to fulfill, and any notes for your records. This creates an auditable history of every DSAR your team has handled.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 — Former employee DSAR

Sample numbers from a real run

Date request received	20,260,407
Response deadline (30 days)	20,260,507
Acknowledgment sent (Day 1)	20,260,407
Engineering export received (Day 9)	20,260,416
HR records confirmed (Day 11)	20,260,418
Legal review and redaction (Day 14)	20,260,421
Fulfillment sent (Day 15)	20,260,422

On April 7, a former employee emails your company's privacy inbox: 'I'm requesting all personal data you hold about me under GDPR Article 15.' The Email Triage app catches it within the next sync cycle, creates a DSAR record with a May 7 deadline, and drafts an acknowledgment that your team sends the same afternoon — Day 1 complete. The Task Manager breaks the case into five subtasks. Starch drafts the engineering data-request email pre-filled with the requester's employee ID and the relevant systems (HRIS, payroll, email archive) pulled from your Notion data map. Engineering returns a 4 GB export on Day 9. HR confirms no additional records exist on Day 11. On Day 14, your legal review identifies three internal performance-review documents that include third-party employee names — those get redacted before the package goes out. Fulfillment lands in the requester's inbox on Day 15, 15 days ahead of the GDPR deadline. The closed record in Starch shows the full timeline, who handled each step, and what was included — ready if a supervisory authority ever asks.

Measurement

How you'll know it's working

Days to fulfill per DSAR (target: under 30 for GDPR, under 45 for CCPA)

Acknowledgment turnaround time (target: same business day)

Open DSARs with fewer than 10 days remaining on the clock

Subtask overdue rate by owner (engineering, HR, legal)

DSAR volume by requester type (customer, former employee, prospect) — tracks whether a pattern warrants a policy update

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

OneTrust Privacy Management

Built specifically for DSAR and consent management with regulatory workflow templates — but starts at $80K+ annually and requires a dedicated privacy-ops admin to configure and maintain; not realistic for a 2-person legal team without a legal-ops budget.

Shared Google Doc + Notion tracker

Free and already in use, but no automatic intake from Gmail, no deadline alerts, no subtask ownership tracking, and no audit trail that would hold up if a supervisory authority requests your DSAR logs.

TrustArc

Comprehensive privacy program management including DSAR workflows, but enterprise pricing and implementation timelines measured in months — you'll have handled dozens of DSARs manually before it's live.

Notion-only custom database

More structured than a shared doc, but still requires someone to manually create each record, set deadlines, and chase subtask owners — none of which is automated.

On Starch RECOMMENDED

One platform — founder inbox, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Does Starch store the personal data from a DSAR response — the employee or customer records engineering exports?

No. Starch is tracking the workflow (intake record, deadlines, subtask status, acknowledgment drafts) — not the personal data payload itself. The engineering export stays in your secure file transfer or email system. Starch holds metadata about the case, not the underlying personal records. That said, Starch is not SOC 2 Type II certified today, so if your DPA with a data subject requires a SOC 2 Type II processing environment for any metadata you store, factor that in.

Can Starch handle DSARs that come in through channels other than Gmail — a web form, a Zendesk ticket, a physical letter?

For Zendesk, connect it from Starch's integration catalog and tell Starch to monitor for tickets tagged 'DSAR' or containing the relevant keywords — the agent queries it live. For a web form, if it routes submissions to your Gmail, Starch picks them up automatically. For a physical letter, you'd manually create the intake record in the Task Manager — Starch handles everything downstream from there.

What if the DSAR involves data in systems we haven't mapped yet — a SaaS tool IT bought last quarter?

That's a data-map gap, not a Starch gap. Starch connects to 3,000+ apps through its integration catalog, plus any website through browser automation — so if the new SaaS tool is web-based and you can log into it, Starch can automate a lookup there. The harder problem is knowing you need to check it. Build your data-map in Notion and keep it connected to Starch; the agent can reference it every time a new DSAR opens.

We use Outlook, not Gmail. Does this work?

Yes. Starch syncs your Outlook data on a schedule the same way it does Gmail — messages, calendars, contacts. Swap Gmail for Outlook in every step above and the workflow is identical.

Can Starch send the acknowledgment and fulfillment emails automatically, or does a human always review?

Starch drafts both — you review and send. This is intentional for DSAR workflows: the acknowledgment and fulfillment letters are legal communications with regulatory consequences, and you want a human eye on every one before it goes out. Starch makes that review a 30-second read instead of a 20-minute drafting session.

We're also tracking vendor-risk questionnaires and policy attestations. Can the same Starch setup handle those?

Yes. They're separate workflows but the same composable pieces — email triage for incoming vendor questionnaires, a task tracker for attestation deadlines, Notion sync for your policy library. Describe each one to Starch separately and it builds them as distinct apps. You're not buying a platform that has a pre-built vendor-risk module you have to conform to — you're describing exactly what your 2-person team needs and Starch builds it.