Processing End-User Subject Access Requests (SAR)


On this page

When you receive an end-user subject access request (SAR) to export or delete data that contains personally identifiable information (PII), you can use Risk Analysis to configure the request parameters and discover documents from your data sources that match PII belonging to the end-user.


  1. Collect information from the end-user making the request, including the following:

    • Type of request (export or delete).

    • End user's email address.

    • The types and specific values of PII to discover for the request.

  2. Create projects in Sensitive Data Governance to define the scope of the data to be considered for requests.

    A project allows you to select an inventory to use for compliance-related requests.

  3. Add data sources to the project.

    When creating a project, you must also specify the locations from inventory assets that can be searched (called data sources) as part of the request.

  4. Create and configure a review request to manage individual compliance-related export or delete requests from end-users.

    Create a review request to enter information about an individual request, such as the requesting user's information, the type of request (export or delete data), and the values for each type of PII that you want to discover (such as email addresses, credit card numbers, and social security numbers). You can also redact all of the PII in the documents that are returned by the request.

    After you create the review request, documents from the project data sources that match the user's PII are added to the request queue. Each document in the queue must be reviewed by a reviewer and the overall request must be approved by an approver. You add reviewers and approvers when you create the request.

  5. Approve or decline documents in the request.

    Reviewers can log in and review each document that was identified in the end-user request. Reviewers can either approve or deny each document and add comments to explain their decision.

  6. When all of the documents in a request are processed by reviewers, approvers can approve the request.

    After the request is approved, the documents in the request are either exported or deleted, according to the request configurations.

    Note: For export requests with redaction enabled, the documents are converted to PDF format.