DSAR software automates the workflow behind a data subject access request under Art. 15 GDPR: intake, identity verification, locating the requester’s data across your systems, redaction, and delivery — all inside the one-month statutory deadline of Art. 12(3) GDPR. The tools worth comparing in 2026 are OneTrust, TrustArc, DataGrail, Osano, Transcend and, for EU organisations wanting legal-grade documentation, Legiscope. They differ most on three axes: how they verify identity without over-collecting, how deeply they search connected systems, and what they cost per request. This comparison ranks them on exactly those points.
Get identity verification wrong and the tool becomes a liability: the Dutch DPA fined DPG Media EUR 525,000 in 2020 for demanding a copy of an ID document to process access requests. The software you pick should make the compliant path the default.
Key Takeaways
- A DSAR tool must cover four stages: secure intake, proportionate identity verification, cross-system data discovery, and deadline-tracked delivery.
- Over-verification is itself a violation. Requiring ID copies by default cost DPG Media EUR 525,000 (Dutch DPA, 2020) — pick software that verifies proportionately.
- The one-month deadline (Art. 12(3) GDPR, extendable by two months for complex requests) is the hard constraint every tool must track.
- Manual DSAR handling costs EUR 100-1,500+ per request in staff time; automation moves the cost of a routine request toward near-zero once configured.
What a DSAR Tool Must Do
The right of access is defined in Art. 15 GDPR and governed procedurally by Art. 12. A tool earns its price by covering the full lifecycle:
- Intake — a branded, accessible request form (or email/portal capture) that logs the request and starts the clock.
- Identity verification — confirming the requester is who they claim to be, using the least intrusive method sufficient. The EDPB Guidelines 01/2022 on the right of access are explicit that controllers should not collect more data than necessary to authenticate.
- Data discovery — locating every copy of the requester’s personal data across CRM, support, marketing, HR and cloud systems. This is where cheap tools stop and expensive ones connect.
- Review and redaction — removing third-party data and exempt material before disclosure.
- Delivery and audit trail — providing the response in a durable format and logging every step for accountability under Art. 5(2) GDPR.
For the underlying obligation, see our guides to the data subject access request process and the right of access under the GDPR.
Identity Verification: Where Tools Help or Hurt
This is the single most misconfigured part of DSAR handling. The rule from Art. 12(6) GDPR is that a controller may request additional information to confirm identity only where there are reasonable doubts — not as a blanket policy.
- Good default: verify through an existing authenticated channel (the logged-in account, the email already on file) before ever asking for documents.
- Bad default: demanding a passport or ID scan up front. That is what earned DPG Media its EUR 525,000 fine, and it creates a fresh pile of sensitive data you now have to protect.
When comparing tools, test the out-of-the-box verification flow. If it asks for ID by default, it is configured against you.
The One-Month Deadline
Art. 12(3) GDPR requires a response without undue delay and within one month of receipt. That can be extended by up to two further months for complex or numerous requests, but only if you inform the requester within the first month and explain why. A DSAR tool must:
- start the clock automatically on intake,
- surface approaching deadlines before they are breached,
- document any extension and the notice sent.
Missed deadlines are a common trigger for complaints, and complaints are how ordinary companies end up in an enforcement file. Transparency obligations around these communications are detailed in our guide to Art. 12 GDPR transparency.
DSAR Software Compared
| Tool | Strengths | Watch-outs | Pricing |
|---|---|---|---|
| Legiscope | EU-hosted, legal-grade documentation, ties DSAR handling to your ROPA and processor map | Not a consent-banner tool | From SME tiers; on request |
| OneTrust | Deepest automation, many connectors, robotic data discovery | Enterprise cost and setup; over-scoped below 300 staff | EUR 30,000-100,000+/yr |
| TrustArc | Mature workflow, assessments | US-centric, limited EU localisation | Enterprise, on request |
| DataGrail | Strong integrations, good automation of discovery | US-focused; priced for mid-market up | On request |
| Osano | Approachable, DSAR + consent in one | Discovery depth lighter than enterprise suites | Mid-range, published tiers |
| Transcend | Engineering-led data discovery across systems | Developer setup effort; enterprise pricing | On request |
For where DSAR fits in a full compliance stack, compare against the category leaders in our best GDPR compliance software roundup, and see the broader GDPR software cost and pricing benchmark.
Cross-System Discovery: Where Price Buys Depth
Discovery is the axis that separates a EUR 79/month module from a five-figure suite. A basic tool searches only the systems you connect by hand — CRM, helpdesk, primary mailbox. A deep one crawls the wider SaaS estate automatically and follows the data into backups, log stores, analytics warehouses and sub-processor systems where copies quietly accumulate. The test to run in a demo is concrete: give the vendor a real test identity and ask it to surface every place that person appears. If the answer is “the three systems you configured,” you are buying a workflow tracker, not a discovery engine — acceptable at low volume, inadequate for a consumer brand fielding hundreds of requests. Match discovery depth to how scattered your data genuinely is, not to the ambition of the demo.
Redaction and the Third-Party Data Problem
Art. 15(4) GDPR states the right to obtain a copy “shall not adversely affect the rights and freedoms of others” — which in practice means removing third-party personal data before disclosure. A support ticket naming another customer, an internal note about a colleague, a shared document: each must be redacted, and doing it by hand across a large export is slow and mistake-prone. Tools differ sharply here. The weaker ones offer only a document viewer; the stronger ones support inline redaction with an audit log of what was removed and why. Under-redacting leaks other people’s data; over-redacting withholds what the requester is legally entitled to. Neither is safe, and this review-and-redact step is where most of the human time in a manual DSAR is actually spent — so it is the first place automation earns back its price.
Cost Per Request: Manual vs Automated
The economics are what justify a purchase. A single manual DSAR — logging it, verifying identity, searching half a dozen systems by hand, redacting, drafting a response — routinely consumes several hours of skilled time.
| Volume | Manual cost/request | With automation |
|---|---|---|
| Occasional (a few/year) | EUR 100-400 | Marginal once configured |
| Regular (dozens/year) | EUR 300-1,000 | Low per-request |
| High (hundreds/year, consumer brands) | EUR 500-1,500+ | Lowest per-request; automation essential |
At high volume the manual route does not just cost money — it risks the deadline. A consumer app receiving hundreds of requests a year cannot answer them by hand inside a month without a dedicated team.
Choosing the Right Tool
- SME with occasional requests: a DSAR module inside your GDPR platform (Legiscope, Osano) beats a standalone enterprise tool. You want it linked to your ROPA so discovery knows where data lives.
- Consumer brand with high request volume: invest in deep automated discovery (DataGrail, Transcend, OneTrust) — the per-request savings are real.
- Multinational with existing suite: you likely already own DSAR capability inside OneTrust/TrustArc; the fix is configuration (fix the ID-verification default), not a new tool.
- Any organisation: verify identity proportionately, track the one-month clock automatically, and keep the full audit trail. Those three are non-negotiable regardless of vendor.
FAQ
What is DSAR software?
DSAR software automates the handling of data subject access requests under Art. 15 GDPR — from intake and identity verification through cross-system data discovery, redaction and deadline-tracked delivery. It exists to answer requests correctly inside the one-month statutory limit while keeping an accountability trail.
Can I demand an ID copy to verify a DSAR?
Not by default. Art. 12(6) GDPR allows additional verification only where you have reasonable doubts about identity, and the least intrusive sufficient method must be used. Requiring ID scans as standard is exactly what the Dutch DPA fined DPG Media EUR 525,000 for in 2020. Verify through existing authenticated channels first.
How long do I have to answer a DSAR?
One month from receipt under Art. 12(3) GDPR, extendable by up to two additional months for complex or numerous requests — but only if you notify the requester within the first month and explain the delay. Good DSAR software starts and tracks this clock automatically.
How much does DSAR software cost?
It ranges from a module inside an SME GDPR platform (bundled, often low four figures per year) to enterprise suites at EUR 30,000-100,000+. The right benchmark is cost per request: manual handling runs EUR 100-1,500+ each, so automation pays off quickly once you handle more than a handful.
Conclusion
DSAR software is worth buying when request volume, deadline pressure or audit risk make manual handling untenable — which for most companies with a real user base is sooner than they expect. Rank the options on the three things that actually matter: proportionate identity verification (do not repeat DPG Media’s EUR 525,000 mistake), reliable one-month deadline tracking, and data discovery deep enough to find every copy. For EU organisations that want the DSAR workflow tied to a legal-grade ROPA rather than bolted on, Legiscope is a strong fit; high-volume consumer brands should weigh the deeper discovery of the enterprise suites against their cost.
See Legiscope in action
AI-powered GDPR compliance that saves 340+ hours/year. Trusted by compliance professionals across Europe.
Request a demo



