Compliance & Legal

How to handle a data subject access request (dsar) with AI

Compliance & Legal3 AI tools7 steps6 friction points

Want an agent to handle this on your live data? See the Starch version →

A Data Subject Access Request (DSAR) is a formal request from an individual — a customer, employee, or user — asking to see what personal data you hold about them, why you're processing it, and who you've shared it with. Under GDPR, CCPA, and similar frameworks, you're typically required to respond within 30 days. For small operator teams without a dedicated privacy or legal function, this lands on the founder or ops lead, and the clock starts the moment the request arrives.

DSARs feel like AI problems because they're document-heavy and formulaic. You need to locate data across multiple systems, summarize it clearly, redact third-party information, and produce a structured response letter — all tasks that look like 'read inputs, apply rules, produce output.' The process is repetitive enough that doing it manually feels wasteful, but legally significant enough that you need the output to be accurate and auditable. That tension is exactly what makes people reach for ChatGPT or Claude.

General-purpose AI tools can genuinely help here. You can paste in a raw DSAR email and have Claude identify what's being requested. You can use ChatGPT to draft a compliant acknowledgment letter or a final response. Gemini can help you build a data-mapping checklist so you know which systems to search. The tools are capable — the friction is in the handoffs: routing the request, querying your actual systems, tracking deadlines, and maintaining a log that would hold up to a regulator.

Skip the manual work → See the Starch version

Compliance & Legal3 AI tools7 steps6 friction points

AI walkthrough

How to do it with AI today

A practical walkthrough using ChatGPT, Claude, and other off-the-shelf LLMs — what they're good at, what you'll have to do by hand.

Tools that work for this

ClaudeChatGPTGemini

Step-by-step

1 Paste the raw DSAR email into Claude and ask it to extract the requester's identity, the specific rights being invoked (access, deletion, portability), and the data categories mentioned. This gives you a structured intake summary in under a minute.

2 Use ChatGPT to draft a compliant acknowledgment email. Paste in your jurisdiction (e.g., 'UK GDPR, 30-day response window'), the requester's name, and the date received. Ask it to generate an acknowledgment letter confirming receipt and the response deadline.

3 Open a spreadsheet and manually list every system that might hold data on this individual — CRM, email, billing, support tickets, HR software. Use Gemini to generate a system-by-system data-search checklist based on your stack. You'll need to search each system yourself.

4 Export or copy data from each system — contact records, transaction history, support threads, email exchanges. Paste relevant excerpts into Claude and ask it to summarize what personal data you hold and in what context, formatted per your response template.

5 Ask ChatGPT to review the compiled data for third-party information that needs to be redacted before disclosure. Paste the summary and ask: 'Flag any mentions of individuals other than [requester name] that should be redacted in a DSAR response.'

6 Use Claude or ChatGPT to draft the final response letter. Include the data summary, the legal basis for processing, retention periods, and the requester's right to complain to a supervisory authority. Edit for accuracy before sending.

7 Log the request, acknowledgment date, response date, and outcome in a spreadsheet manually. Set a calendar reminder for the 30-day deadline. Repeat this entire process for every future DSAR.

Prompts you can copy

Here is a DSAR email we received. Extract: the requester's full name, the rights they are invoking, the data categories they are asking about, and the date the request was made. Format as a structured list.

Draft a GDPR-compliant acknowledgment letter for a DSAR received today from [Name]. Our response deadline is 30 days from receipt. Confirm we have received the request and state when they can expect a response. Formal tone, under 200 words.

I have compiled the following personal data we hold about a data subject: [paste summary]. Draft a DSAR response letter covering: what data we hold, why we process it, who we share it with, how long we retain it, and how to escalate a complaint. UK GDPR format.

Review this data summary before we send it as a DSAR response. Flag any text that refers to or identifies a third party other than the data subject, which should be redacted before disclosure: [paste summary].

Build me a DSAR intake checklist for a SaaS company using HubSpot, Stripe, Gmail, Zendesk, and Slack. For each system, list what personal data types to search for and how to export them.

Reality check

Where this gets hard

The walkthrough above works — until your numbers change, the LLM hallucinates, or you have to re-paste everything next month.

No live connection to your actual systems — you manually search HubSpot, Stripe, Gmail, and Zendesk separately, then copy-paste results into the LLM every single time.

Nothing tracks the 30-day deadline automatically — you set a calendar reminder by hand, and if it gets buried, you find out when the requester follows up.

Each DSAR starts from scratch — there's no persistent log of past requests, response templates used, or data-mapping decisions you made last time.

Output format drifts between sessions — the response letter structure Claude produced three months ago isn't what you'll get today unless you re-specify every constraint in a new prompt.

Redaction is manual and error-prone — the LLM will flag candidates, but you're still reviewing a document line by line with no systematic audit trail of what was redacted and why.

No intake routing — a DSAR that arrives in a shared inbox can sit unnoticed for days before someone realizes the compliance clock has already started.

Tired of the friction?

Starch runs the whole workflow on live data — no copy-paste, no hallucinated numbers, no re-prompting next month.

See the Starch version →

Starch alternative

The same workflow on Starch

Starch is an agentic operating system — it builds and runs the software your DSAR workflow depends on, connected to your live business data, so the process doesn't restart from a blank prompt every time a request arrives.

Connect Gmail or Outlook through Starch's scheduled sync — the Email Triage app surfaces incoming DSARs automatically, flags them by priority, and drafts an acknowledgment reply you can send in one click without ever opening a raw prompt.

Describe the intake tracker you need in plain English: 'Build me a DSAR log that captures requester name, request date, response deadline, data systems searched, and response status.' Starch builds the app; it persists across every request you'll ever receive.

Connect HubSpot, Stripe, and Gmail from Starch's integration catalog — when a DSAR comes in, an automation can query each system for records tied to that email address and compile a structured data summary, instead of you searching each system by hand.

Use the Knowledge Management app to store your DSAR response templates, redaction guidelines, and jurisdiction-specific rules — AI search means whoever handles the next request finds the right template instantly instead of asking you where it lives.

Set a 30-day deadline automation once: 'Seven days before any DSAR response deadline, Slack me a reminder with the requester name and outstanding items.' It runs against live data every time, not just when you remember to check a spreadsheet.

The Task Manager app (currently in beta) lets you capture and track each DSAR as a prioritized task with a due date — so open requests don't disappear into an inbox and overdue alerts fire before a deadline passes, not after.

Get closed-beta access →

Toolkit