Knogin
[Developers]

Auth: GDPR Compliance & DSAR

A citizen contacts your organisation exercising their right of access under GDPR Article 15. Within the statutory 30-day window, your team must locate every record that holds the person's personal data, compile it into a

Back to All Modules
Category: ManagementLast Updated: May 26, 2026
managementcompliancegeospatial

Overview#

A citizen contacts your organisation exercising their right of access under GDPR Article 15. Within the statutory 30-day window, your team must locate every record that holds the person's personal data, compile it into a portable format, redact third-party information, and deliver a verified response. Without automation, this process spans multiple systems, consumes significant analyst time, and carries a high risk of an incomplete response.

The GDPR Compliance and Data Subject Access Request (DSAR) module automates this entire lifecycle. It provides structured workflows for receiving and verifying data subject requests, identifying and extracting personal data held across connected services, managing consent records, and producing audit-ready compliance reports. The same engine handles erasure requests ("right to be forgotten") and data portability exports, giving organisations a single, auditable path through all eight GDPR data-subject rights.

Key Features#

  • Automated DSAR intake: Structured intake forms capture the request type, verify the requestor's identity, and open a timestamped compliance case, ensuring the statutory response clock starts from a confirmed, auditable baseline.
  • Personal data discovery: The module traces personal data across all connected services using a maintained data lineage map, so no relevant record is overlooked when assembling a response.
  • Consent management: Granular consent records are stored per data subject, per processing purpose, and per legal basis, with a full history of grants and withdrawals available for regulatory inspection.
  • Right-to-erasure execution: Verified erasure requests trigger coordinated deletion and redaction across every data store holding the subject's records, with confirmation logged to the immutable audit trail.
  • Data portability export: Personal data can be exported in machine-readable formats, enabling data subjects to transfer their information to another controller in accordance with Article 20.
  • Automated redaction: When a response package contains records that include third-party personal data, the module applies rule-based redaction before delivery, protecting the rights of other individuals.
  • Compliance reporting: Pre-built report templates satisfy Article 30 Record of Processing Activities obligations, DPIA summaries, and breach notification timelines, and can be exported for submission to a supervisory authority.
  • Breach notification workflow: When a personal data breach is identified, the module tracks notification obligations, generates the required supervisory authority report, and records communication with affected data subjects within the 72-hour window.

Use Cases#

  • Fulfilling citizen access requests: Organisations subject to GDPR can respond to Article 15 access requests within the statutory period, with a complete, verified response package compiled automatically.
  • Right-to-erasure execution: Upon a validated Article 17 request, all personal data for the subject is located and permanently removed or anonymised, with a signed completion record provided to the requestor.
  • Consent audit and withdrawal: Legal and compliance teams can inspect the full consent history for any data subject and process a withdrawal request that propagates immediately to all processing activities.
  • Data portability for service migration: Individuals moving to a competing service can receive a portable, structured export of all personal data held, satisfying Article 20 without manual intervention.
  • Supervisory authority investigation support: If a Data Protection Authority requests evidence of compliance, the audit trail and Article 30 records are exportable in a format suitable for formal submission.

Integration#

The DSAR module integrates with the broader authentication and identity platform so that every request is tied to a verified identity before processing begins. It connects to audit trail systems to ensure every case action is immutably logged, and exposes a documented API that privacy impact assessment tools and third-party data mapping platforms can call to retrieve lineage information or submit erasure confirmations. Organisations with existing case management or ticketing systems can route DSAR notifications through webhooks, keeping compliance workflows aligned with existing operational processes.

Open Standards#

  • GDPR (Regulation (EU) 2016/679): The module is designed around the eight data-subject rights defined in GDPR, with dedicated workflows for Articles 15, 16, 17, 18, 19, 20, 21, and 22.
  • ISO/IEC 27701:2019: Privacy Information Management System controls map directly to the module's consent, lineage, and breach notification capabilities, supporting organisations seeking ISO 27701 certification.
  • ISO/IEC 27001:2022: Information security controls governing access to personal data records align with Annex A requirements, supporting integrated ISMS certification.
  • W3C Data Privacy Vocabulary (DPV): Consent records and processing purpose descriptions use terminology consistent with the W3C Data Privacy Vocabulary, facilitating interoperability with other compliant systems.
  • RFC 7519 (JSON Web Token): Identity assertions used to authenticate data subject requests and operator actions are issued as signed JSON Web Tokens, enabling stateless, verifiable authorisation across services.
  • NIST Privacy Framework (Version 1.0): The module's identify, govern, control, communicate, and protect functions align with NIST Privacy Framework core functions, supporting organisations operating across EU and US regulatory contexts.
  • OASIS KMIP: Cryptographic material used to protect personal data at rest is managed in accordance with the Key Management Interoperability Protocol, ensuring keys can be rotated or destroyed as part of an erasure workflow.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with DSAR case volume limits; breach notification workflow and Article 30 reporting require an Enterprise Plan upgrade.

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.