Docs / Tutorial: Complete a Case End-to-End

Tutorial: Complete a Case End-to-End

This tutorial walks you through handling a complete Data Subject Access Request (DSAR) from receiving the request to sending the final response. Follow along in your own SAR Portal account.

Open Cases →

Cases list view - Your starting point for managing all DSARs
Cases list view - Your starting point for managing all DSARs Cases list view - Your starting point for managing all DSARs

Scenario

The Request: John Smith has submitted an access request through your public portal, asking for a copy of all personal data you hold about him.

Your Task: Gather his data, review it for third-party information, redact where necessary, and respond within 30 days.

1Review
2Gather
3Analyze
4Redact
5Review
6Close

Step 1: Review the New Case (Day 1)

When the request comes in, you’ll receive an email notification and see it in your dashboard.

1.1 Open the Case

Sidebar Cases Click on the case

View Cases →

Cases
CASE-2024-0042 Opened

John Smith • john.smith@email.com

Access Request (Art. 15) • Due: 30 days

1.2 Review Case Details

Check the case summary:

1.3 Update Status

Change the status to show you’ve started working:

Status:

Step 2: Gather Data (Days 1-7)

Now collect all personal data you hold about John Smith.

2.1 Search Your Systems

Check all locations where you might have John’s data:

2.2 Export the Data

Export relevant records as documents:

2.3 Attach Documents

There’s no standalone upload button or drag-and-drop area. You attach files through one of the case flows — Request Info, Submit Info (while awaiting information), or the Close Case dialog — each of which opens a file picker. Hold Ctrl/Cmd to select several files at once.

Case Request Info / Close Case Attach files (file picker)
Case Documents
Attached files — added via the Request Info, Submit Info or Close Case file picker.
PDF, Word, Excel, Images • Max 100 MB (10 MB on trial)
📄 john-smith-customer-profile.pdf 245 KB
📄 email-history-export.pdf 1.2 MB
📊 order-history.xlsx 89 KB

2.4 Add Notes

Document what you searched:

Searched the following systems for data relating to John Smith:
- Salesforce CRM: Found customer profile and order history
- Gmail: Found 23 email exchanges
- Zendesk: Found 2 support tickets
- Mailchimp: Found on marketing list (subscribed)
- Accounting system: No records found

Step 3: Review Detected PII (Days 7-14)

There’s no separate “Analyze for PII” button. When you attach redactable files, SAR Portal runs PII detection automatically and shows a Review Detected PII screen.

3.1 Review the Detected Entities

As your files are attached:

  1. PII detection runs automatically (no button to press)
  2. The Review Detected PII screen lists the entities found, grouped by type
  3. You decide which entities to redact — the subject’s own PII is shown but is not auto-selected, so John’s own data stays in his copy unless you choose otherwise
Review Detected PII

12 entities detected in email-history-export.pdf

Email Addresses 5 found
john.smith@email.com, sarah.jones@company.com, mike.wilson@company.com...
Names 4 found
John Smith, Sarah Jones, Mike Wilson, Emma Brown
Phone Numbers 2 found
+44 20 1234 5678, +44 20 8765 4321
Addresses 1 found
123 High Street, London, EC1A 1BB

3.2 Identify Third-Party Data

Important: You must redact personal data belonging to OTHER people before sending to John.

From the analysis above, identify:

GDPR Requirement
Article 15(4): The right to obtain a copy shall not adversely affect the rights and freedoms of others. You must protect third-party personal data.

Step 4: Redact Third-Party Data (Days 14-21)

Remove other people’s personal information from the documents — this happens on the same Review Detected PII screen, right after attaching.

4.1 Select the Entities to Redact

There’s no separate redaction editor to open. On the Review Detected PII screen, tick the third-party entities you want to remove. The subject’s own data is shown but not pre-selected, so leave John’s own details unticked.

Review Detected PII
john.smith@email.com
Email Address • High confidence
Keep Redact
sarah.jones@company.com
Email Address • High confidence
Keep Redact

4.2 Your Selections

EntitySelectionReason
john.smith@email.comLeave untickedSubject’s own data
John SmithLeave untickedSubject’s own data
sarah.jones@company.comTick to redactThird-party data
Sarah JonesTick to redactThird-party data
mike.wilson@company.comTick to redactThird-party data
Mike WilsonTick to redactThird-party data

4.3 Redact and Attach

  1. Click Redact Selected (n) to apply the redactions to your selected entities
  2. Review the redacted result on the next screen
  3. Click Confirm & Attach to Case (n) to add the redacted files to the case
Skip Redaction
If a file needs no redaction, choose Skip Redaction to attach it unchanged. The redaction always produces a new redacted version — the originals you attached are preserved.
Redaction Complete
The redacted document now shows black boxes where third-party data was removed, and is attached to the case.

Step 5: Review & Approve (Days 21-28)

Before responding, have the documents reviewed.

5.1 Mark Identity as Verified

Once you’ve confirmed the subject’s identity, click Mark Verified. It’s a single click — there’s no method picker and no notes field. The method is recorded automatically, which is your GDPR Article 12 evidence:

Mark Verified
Status:

Method recorded automatically: Portal token (John verified his email at submission). Timestamp captured automatically.

John submitted through the portal, so his email was already verified at submission — the method is recorded as Portal token automatically. When an admin clicks Mark Verified on a case that arrived by another channel, the method is recorded as Manual review. If you carried out extra checks (e.g. inspected an ID document), note them in the case Notes. See Identity Verification.

5.2 Review Checklist

Before closing, verify:

5.3 Add Final Notes

Document your review:

Review completed by: Jane Admin
Date: [Today]
Documents reviewed: 3
Redactions applied: 8 third-party items
Response ready for delivery

Step 6: Close the Case (Day 28)

Finalize and send the response.

6.1 Prepare Response Package

Download the redacted documents to send to John:

  1. Click Download on each redacted document
  2. Compile into a response package
  3. Include a cover letter explaining what’s provided

6.2 Send Response to Subject

SAR Portal does not send the final package from inside the app — you deliver the downloaded documents yourself. Because John submitted through the public portal, he can track status and retrieve his response via the secure portal link he already holds (app.sarportal.com/subjectaccess?token=...). You can also deliver the package directly via:

6.3 Close the Case

Click the red Close Case button to open the dialog. Choose a Closure Reason (here, Completed & Fulfilled), add optional AI-assisted Closure Notes, and attach any final correspondence. If you pick Rejected or Invalid Request, the dialog also requires a Refusal Ground. The dialog warns you if no identity verification was recorded — you’ve already marked John verified, so you’re clear. Closing is permanent.

Close Case
Close Case

6.4 Confirmation

Case Closed Successfully

CASE-2024-0042 • Completed in 28 days


Summary

You’ve successfully completed a DSAR by:

  1. Reviewing the incoming request
  2. Gathering data from all your systems
  3. Analyzing documents for personal data
  4. Redacting third-party information
  5. Reviewing before sending
  6. Closing with full documentation

Time Spent

PhaseDaysActivities
Review1Open case, understand request
Gather7Search systems, export data
Analyze7Run AI analysis, identify PII
Redact7Apply redactions, create clean docs
Review4Final review, obtain approvals
Close2Send response, close case
Total28Within 30-day deadline

The Audit Trail

SAR Portal has automatically recorded:

View Audit Logs →


Next Steps

Other Request Types Batch Processing Managing Deadlines Audit Logs