DSAR Workflows

End-to-end management of data subject access, deletion, rectification, and portability requests.

4 min read

DSAR Workflows

DPOKit provides a complete workflow for handling Data Subject Access Requests (DSARs) under GDPR Article 12–22, UK GDPR, and CCPA.

DSAR case list showing open requests with deadline countdowns and status badges

Request types supported

  • Access (SAR) — provide a copy of all personal data held
  • Deletion (Right to Erasure) — delete or anonymise personal data
  • Rectification — correct inaccurate personal data
  • Portability — export data in a machine-readable format
  • Objection to processing — flag and restrict processing

Intake form

Add the DSAR intake form to any page using the shortcode:

[pv_dsar_form]

The form collects:

  • Request type
  • Full name and email address
  • Optional: description of the request
  • Identity verification (email confirmation required; ID upload optional)

On submission, the requestor receives an acknowledgement email with a reference number and the statutory deadline (30 days by default, configurable).

DSAR intake form embedded on a page showing request type selection and identity verification step

Configuring the intake form

// Change the default deadline to 45 days (non-EU jurisdictions may allow longer)
add_filter( 'pv_dsar_deadline_days', function( $days ) {
    return 45;
} );
 
// Require ID document upload for all deletion requests
add_filter( 'pv_dsar_require_id_upload', function( $required, $request_type ) {
    return $request_type === 'deletion';
}, 10, 2 );

Case management

All DSAR cases appear in DPOKit → DSARs with:

ColumnDescription
ReferenceUnique case identifier
TypeAccess / Deletion / etc.
StatusReceived → Verified → In Progress → Completed / Rejected
DeadlineStatutory deadline with countdown; overdue cases highlighted in red
SubjectRequestor name and email

Status workflow

  1. Received — form submitted, acknowledgement sent
  2. Verified — identity confirmation received
  3. In Progress — data collection underway
  4. Completed — response sent to requestor
  5. Rejected — request declined (with reason logged)

DSAR case detail view showing status timeline, internal notes, and data package download

Hooking into status transitions

// Run custom logic when a DSAR case moves to "In Progress"
add_action( 'pv_dsar_status_changed', function( $case_id, $old_status, $new_status ) {
    if ( $new_status === 'in_progress' ) {
        // e.g. notify a team member
        wp_mail( 'dpo@example.com', 'DSAR in progress', "Case #{$case_id} is now in progress." );
    }
}, 10, 3 );

Automated data collection

For access and portability requests, DPOKit automatically gathers data from:

  • WordPress user accounts and profile fields
  • WooCommerce orders, addresses, and customer notes
  • Contact Form 7 / WPForms / Gravity Forms submissions
  • WordPress comments
  • Mailchimp subscriber records (with API key configured)

The collected data is compiled into a data package (JSON + human-readable HTML) for review before sending to the requestor.

Registering custom data sources

Use the pv_dsar_data_sources filter to register your own data source:

add_filter( 'pv_dsar_data_sources', function( $sources ) {
    $sources[] = [
        'id'      => 'my_plugin_orders',
        'label'   => 'My Plugin Orders',
        'collect' => 'my_plugin_collect_data',  // callable: receives $email, returns array
        'delete'  => 'my_plugin_delete_data',   // callable: receives $email, returns bool
    ];
    return $sources;
} );
 
/**
 * @param  string $email The data subject's email address.
 * @return array         Associative array of data to include in the export.
 */
function my_plugin_collect_data( string $email ): array {
    global $wpdb;
    $rows = $wpdb->get_results(
        $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}my_orders WHERE customer_email = %s", $email ),
        ARRAY_A
    );
    return [ 'my_plugin_orders' => $rows ];
}
 
/**
 * @param  string $email The data subject's email address.
 * @return bool          True on success.
 */
function my_plugin_delete_data( string $email ): bool {
    global $wpdb;
    $wpdb->delete(
        "{$wpdb->prefix}my_orders",
        [ 'customer_email' => $email ],
        [ '%s' ]
    );
    return true;
}

Deletion handling

For deletion requests, DPOKit executes deletion or anonymisation across all registered data sources. It respects legal holds: if an order is still within its tax retention window, it is flagged as retained with reason rather than deleted.

A deletion confirmation record is produced showing:

  • What was deleted
  • What was anonymised
  • What was retained, and why

Deletion confirmation record showing items deleted, anonymised, and retained with legal hold reasons

Audit export

Any case can be exported as a PDF audit record from the case detail view. The export includes the full case history, all status changes, internal notes, and the deletion confirmation record.