OneTrust’s Enhanced Data Subject Access Rights (DSAR) Portal Automated Over 10,000 Requests Within First Two Weeks of GDPR

OneTrust, the global leader in privacy management and marketing compliance software, today announced its data subject access rights (DSAR) tool has helped organizations handle more than 10,000 requests within two weeks of the General Data Protection Regulation (GDPR) go-live date of 25 May.

OneTrust’s DSAR tool is based on deep privacy research and gives an organisation a scalable and secure way to handle individual rights requests from customers, employees, partners and other data subjects under the GDPR. Recent updates to OneTrust’s DSAR tool gives organisations more options to customise and automate workflows, offers built-in translations to 100+ languages and enhances reporting and metric capabilities.

The GDPR outlines nine distinct rights for data subjects, including data portability, access, erasure and rectification. Providing this service manually can require complicated and time-consuming internal actions, from processing the request, verifying the data subject’s identity, locating the data and responding in a timely fashion. Under the accountability principle, GDPR also requires that organisations be able to demonstrate compliance with their obligations. This means organisations may need to produce records that data subject access requests have been handled appropriately, which can be an additional laborious process if done manually.

The OneTrust DSAR portal helps companies automate data subject requests. Data subjects can submit their request through a branded web form embedded in an organisation’s privacy policy. The requests are added to a queue for privacy and IT teams to complete via automatic, customisable and pre-configured processes. If the company needs to communicate with or get additional information from the data subject, they can utilise secure, encrypted messages right form the OneTrust platform. The web form is available in 100+ languages and the data subject can select their preferred language for all communications.

OneTrust helps organisations automate DSAR requests in five steps:

  1. Request intake: Data subjects make their request and upload a copy of their identification. Once submitted, the request is recorded into the OneTrust platform for processing.
  2. Assignment workflows: Companies can then validate the data subject’s identity, start assignment workflows across internal teams and track deadlines. OneTrust will automatically request an extension if the one-month deadline is approaching.
  3. Find the data: With integrations into the OneTrust Data Mapping tool, as well as an automation API, companies can locate the subject’s data and process it based on the request. OneTrust also links with internal IT service management tools to consolidate requested information across multiple services.
  4. Communicate responses: Throughout the process, organisations can easily communicate with the data subject through secure, encrypted communications from the OneTrust platform. Once the request has been completed and the data subject is satisfied, settings allow for attachments to be automatically deleted and the user’s access to the portal is automatically revoked after a certain time.
  5. Metrics and reporting: From the OneTrust platform, organisations can review responses received, average turnaround time and cost metrics about all requests received.

The process can be tailored in OneTrust to reflect the unique structure of the organisation. These customised workflows can automatically create sub-tasks to business and IT owners, request the submission of necessary information and can control the access, editing and advancement of the request. For compliance purposes, OneTrust maintains a full audit trail of any changes made on a request.

“Expanded rights for data subjects are a positive step forward in GDPR, however, can be a manual and complicated obligation for organisations to handle appropriately,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy (FIP). “That’s why we built the OneTrust DSAR portal to automate and record the full lifecycle of data subject requests. Privacy and IT teams are now equipped with a highly scalable tool to automate processing those requests. Like all of our products, our DSAR solution is designed based on deep privacy research and a firm understanding of the requirements under GDPR and is deeply integrated with our data mapping, PIA/DPIA and other privacy management modules.”

A 5-minute demo video of OneTrust’s DSAR Portal can be viewed at