What is a Data Subject Access Request and why do they matter?

A formal request from a customer to see (or delete) every piece of data you have on them. California, Virginia, Colorado, Connecticut, Utah, Quebec, the EU, the UK, and Brazil all give customers this right. The penalty for failing to respond cleanly is significant — and the volume of requests is climbing fast.

How is this different from OneTrust, DataGrail, or Securiti?

Those are enterprise privacy platforms with three to six month implementations and $30,000 to $200,000 annual pricing aimed at dedicated privacy teams. This is built for the operator who needs DSAR fulfillment to work cleanly without that overhead.

What happens when a customer asks to be deleted?

One instruction. The deletion propagates in real time to every downstream system that holds a copy of that customer — your CDP, billing tools, email and SMS platforms, ad platforms. You get an audit-defensible record showing every system the deletion reached.

Which jurisdictions are covered?

California (CCPA and CPRA), Virginia, Colorado, Connecticut, Utah, the EU and UK (GDPR), Quebec (Bill 25), Brazil (LGPD), plus your own custom rule sets if you operate in additional jurisdictions.

How does retention work?

Each rule runs automatically. California marketing consent expires at 12 months. GDPR and HIPAA records expire at six years. State-specific rules vary. When a record ages past its retention window, it gets purged on schedule — and the purge itself is logged for audit.

What if two records got merged and a regulator asks how?

The full merge and un-merge history of every identity is preserved with confidence scoring. You can show exactly what signals led to the merge, who reviewed it (if anyone), and when.

Does this replace our outside privacy counsel?

No. It dramatically reduces the volume of work counsel needs to do per request, which usually means you stop paying $5,000 to $15,000 in coordination fees on the routine ones. Counsel still reviews the edge cases.

Skill catalog

Answer any privacy request in one export — across every system you use

When a customer asks what data you have on them — or asks you to delete it — the answer comes from one place and reaches every downstream system automatically.

The problem

California sends you a Data Subject Access Request for a customer. The clock starts. You now have to surface every piece of data tied to that person: every email they were sent, every text, every appointment, every purchase, every cohort they were grouped into, every score your systems gave them. That data lives in your CDP, two or three billing tools, your POS, your call-tracking platform, your email and SMS tools, your paid ads platforms, and your product catalog. None of those systems talks to the others. The privacy attorney quotes you $5,000 to $15,000 to coordinate a single response. The enterprise privacy platforms (OneTrust, DataGrail, Securiti) want $30,000 to $200,000 a year and three to six months of implementation before they help. Your in-house privacy lead, if you have one, costs $150,000 to $350,000 a year and still has to manually pull exports from every platform. And the next request is already in your inbox — California, Virginia, Colorado, Connecticut, Utah, Quebec, the EU, Brazil are all sending them now, and the volume is climbing.

What success looks like

When a request comes in, one export answers it. Every identifier tied to that customer, every event, every cohort they were placed in, every score, every message sent — surfaced in a single audit-defensible report. Right-to-deletion works the same way: one instruction, and the deletion propagates across every downstream system that holds a copy of that customer. Per-jurisdiction retention rules run automatically (12-month marketing consent for California, six years for GDPR and HIPAA, variable rules per state). Records past their retention window get purged on schedule. The merge and un-merge history of every identity is preserved with confidence scoring — so if a regulator asks how you decided two records were the same person, you have the answer.

How most operators solve this today

A handful of tools touch this problem, but none of them work end-to-end across the systems a multi-location operator actually uses.

Privacy-compliance platforms (OneTrust, DataGrail, Securiti, TrustArc, Transcend, Ethyca, MineOS)
$20,000 to $200,000+ per year
Built for enterprise privacy teams. Three to six months to implement. Pricing assumes a dedicated privacy department.
CDPs and customer 360 platforms with audit (Segment, Tealium, mParticle, Klaviyo CDP, Salesforce, Adobe Real-Time CDP)
$120 to $500,000+ per year
Each platform only sees its own data. If you run two CDPs or two billing tools, audit is fragmented by design.
Master data management platforms (Informatica MDM, Reltio, Stibo Systems, Profisee)
$50,000 to $500,000+ per year
Enterprise scale. Six to twelve months to implement. Overbuilt for most multi-location operators.
In-house privacy lead plus outside counsel
$150,000 to $350,000 per year, plus $5,000 to $15,000 per request
Manual export from every platform, every time. Costs and headcount scale linearly with request volume.
Governance suites (LogicGate, NAVEX, MetricStream, OneTrust GRC)
$20,000 to $200,000+ per year
Generic compliance reporting. They tell you what your policy is. They do not fulfill the requests.
Build it in-house
Engineering plus ongoing maintenance
A spreadsheet log and manual exports work for the first few requests. They fall apart the moment a regulator inquiry arrives.

What changes when this is an agent skill

Every change to a customer record gets captured with a timestamp, a source, and a downstream propagation history. When a request lands, the system pulls every identifier, every event, every cohort, every score from every downstream tool — your CDP, your billing platforms, your POS, your call-tracking, your email and SMS tools, your ad platforms — and returns one consolidated export. Right-to-deletion is the same operation in reverse: one instruction, and the deletion fans out to every system holding a copy in real time. Per-state and per-country retention rules run automatically. California's 12-month marketing consent, GDPR's six years, HIPAA's six years, FINRA's six years, per- rules — they all enforce themselves and trigger automatic purge when records age out. The merge and un-merge history of every identity is preserved with confidence scoring, so if a regulator asks how you decided two records were the same person, the answer is already on file. OneTrust, DataGrail, and Securiti remain a reasonable choice if you have a dedicated enterprise privacy team. This is built for the operator who needs to answer requests cleanly without that overhead.

Agents that include this skill

Skills live inside agent rentals. To get this skill in production, hire any of the agents below — context-tuning at onboarding is included in the first month.

Customer Data Graph Foundation Agent
Resolves DTC subscriber identity, computes LTV math, and emits the canonical customer-data-graph downstream subscription agents consume.
Book a consultation →

FAQ

What is a Data Subject Access Request and why do they matter?: A formal request from a customer to see (or delete) every piece of data you have on them. California, Virginia, Colorado, Connecticut, Utah, Quebec, the EU, the UK, and Brazil all give customers this right. The penalty for failing to respond cleanly is significant — and the volume of requests is climbing fast.
How is this different from OneTrust, DataGrail, or Securiti?: Those are enterprise privacy platforms with three to six month implementations and $30,000 to $200,000 annual pricing aimed at dedicated privacy teams. This is built for the operator who needs DSAR fulfillment to work cleanly without that overhead.
What happens when a customer asks to be deleted?: One instruction. The deletion propagates in real time to every downstream system that holds a copy of that customer — your CDP, billing tools, email and SMS platforms, ad platforms. You get an audit-defensible record showing every system the deletion reached.
Which jurisdictions are covered?: California (CCPA and CPRA), Virginia, Colorado, Connecticut, Utah, the EU and UK (GDPR), Quebec (Bill 25), Brazil (LGPD), plus your own custom rule sets if you operate in additional jurisdictions.
How does retention work?: Each rule runs automatically. California marketing consent expires at 12 months. GDPR and HIPAA records expire at six years. State-specific rules vary. When a record ages past its retention window, it gets purged on schedule — and the purge itself is logged for audit.
What if two records got merged and a regulator asks how?: The full merge and un-merge history of every identity is preserved with confidence scoring. You can show exactly what signals led to the merge, who reviewed it (if anyone), and when.
Does this replace our outside privacy counsel?: No. It dramatically reduces the volume of work counsel needs to do per request, which usually means you stop paying $5,000 to $15,000 in coordination fees on the routine ones. Counsel still reviews the edge cases.

Hire one of the agents that includes this skill

See all agents →Take the routing quiz