GDPR Request Engine: Automate SAR, Erasure & Portability by Jasper RexfordGDPR Request Engine: Automate SAR, Erasure & Portability by Jasper Rexford
GDPR Request Engine: Automate SAR, Erasure & PortabilityJasper Rexford
Cover image for GDPR Request Engine: Automate SAR, Erasure & Portability
Every month more of your customers know their rights. Subject Access Requests, erasure under Article 17, portability under Article 20, objection-to-processing. UK GDPR gives you 30 days to respond. The ICO publishes the businesses that miss the window.
Most companies handle these manually. A request lands in legal@ or privacy@, a human chases it across CRM, Stripe, Mailchimp, support tickets, internal docs, exported logs. Each request burns 4-12 hours of paid time and risks blowing the deadline.
This service builds you the engine that handles it end to end. Same engineering pattern I shipped in Recourse (which files SARs on the consumer side), inverted and productionised for the business side.

The risk of not having one

Average ICO enforcement action: £750k, published by name on the ICO website
30-day clock starts the second the request lands, with no grace period
Reputational damage from public complaints, which the ICO publishes
Audit gap: if you cannot prove every step of fulfilment, you failed the request even if you did the work
Cost-per-request scaling linearly with request volume, while volume keeps growing year over year
Consumer awareness of GDPR rights is roughly 3x what it was in 2022. The curve is not flat.

The cost saved

A typical SAR handled manually: £400-£1,200 in fully loaded staff time depending on stack complexity.
Through the engine: roughly £5 in compute per request plus a few minutes of human review and approval.
At 10 requests/month you break even in the first quarter. At 30+, the engine pays for itself in weeks.

How it runs

**Week 1:** data mapping. We catalogue every system holding personal data, every retention policy, every legal basis. The agent needs to know where to look and what to return.
**Week 2:** pipeline build. Public intake form, identity verification, request routing, automated queries across your systems, structured export, redaction of third-party data, full audit log per step.
**Week 3:** live run. We process real test requests end to end, validate exports against ICO Article 15 guidance, tune escalation rules, hand over.

What you get

The full engine: source code, infrastructure, credentials, owned by you
Public-facing intake form branded to your business
Identity verification flow (document + liveness check)
Automated routing across all systems holding personal data
Structured export for SAR, execution + proof for erasure, machine-readable export for portability
Full audit trail per request: every step timestamped and attributable
30-day deadline tracking with auto-escalation 5 days before the window closes
Audit-ready documentation pack matching ICO guidance Article 15 §1-2

We work with your DPO

If you have a Data Protection Officer, we set the engine to route exports for their review and sign-off before they go to the requester. If you do not have one yet, we can recommend designating one (separate engagement).

Optional retainer

After handover, an optional £397/month retainer keeps the agent current with ICO guidance updates, new data-system integrations as you add tooling, and edge cases.

What is not included

Legal review of your privacy policy
DPIA authoring (separate engagement if needed)
Marketing-consent management platform (different problem, different tool)

Best fit

UK or EU businesses holding personal data on more than a few thousand individuals: SaaS, e-commerce, fintech, recruitment, healthtech. If you are already getting more than two requests a month, payback is immediate. If you are not yet, you will be soon, and the cheapest time to build this is before the volume hits.
Example work
Starting at$2,997
Duration3 weeks
Tags
Claude
PostgreSQL
Resend
Supabase
TypeScript
AI Agent Engineer
Automation Engineer
Backend Engineer
Service provided by
Jasper Rexford proSunningdale, United Kingdom
GDPR Request Engine: Automate SAR, Erasure & PortabilityJasper Rexford
Starting at$2,997
Duration3 weeks
Tags
Claude
PostgreSQL
Resend
Supabase
TypeScript
AI Agent Engineer
Automation Engineer
Backend Engineer
Cover image for GDPR Request Engine: Automate SAR, Erasure & Portability
Every month more of your customers know their rights. Subject Access Requests, erasure under Article 17, portability under Article 20, objection-to-processing. UK GDPR gives you 30 days to respond. The ICO publishes the businesses that miss the window.
Most companies handle these manually. A request lands in legal@ or privacy@, a human chases it across CRM, Stripe, Mailchimp, support tickets, internal docs, exported logs. Each request burns 4-12 hours of paid time and risks blowing the deadline.
This service builds you the engine that handles it end to end. Same engineering pattern I shipped in Recourse (which files SARs on the consumer side), inverted and productionised for the business side.

The risk of not having one

Average ICO enforcement action: £750k, published by name on the ICO website
30-day clock starts the second the request lands, with no grace period
Reputational damage from public complaints, which the ICO publishes
Audit gap: if you cannot prove every step of fulfilment, you failed the request even if you did the work
Cost-per-request scaling linearly with request volume, while volume keeps growing year over year
Consumer awareness of GDPR rights is roughly 3x what it was in 2022. The curve is not flat.

The cost saved

A typical SAR handled manually: £400-£1,200 in fully loaded staff time depending on stack complexity.
Through the engine: roughly £5 in compute per request plus a few minutes of human review and approval.
At 10 requests/month you break even in the first quarter. At 30+, the engine pays for itself in weeks.

How it runs

**Week 1:** data mapping. We catalogue every system holding personal data, every retention policy, every legal basis. The agent needs to know where to look and what to return.
**Week 2:** pipeline build. Public intake form, identity verification, request routing, automated queries across your systems, structured export, redaction of third-party data, full audit log per step.
**Week 3:** live run. We process real test requests end to end, validate exports against ICO Article 15 guidance, tune escalation rules, hand over.

What you get

The full engine: source code, infrastructure, credentials, owned by you
Public-facing intake form branded to your business
Identity verification flow (document + liveness check)
Automated routing across all systems holding personal data
Structured export for SAR, execution + proof for erasure, machine-readable export for portability
Full audit trail per request: every step timestamped and attributable
30-day deadline tracking with auto-escalation 5 days before the window closes
Audit-ready documentation pack matching ICO guidance Article 15 §1-2

We work with your DPO

If you have a Data Protection Officer, we set the engine to route exports for their review and sign-off before they go to the requester. If you do not have one yet, we can recommend designating one (separate engagement).

Optional retainer

After handover, an optional £397/month retainer keeps the agent current with ICO guidance updates, new data-system integrations as you add tooling, and edge cases.

What is not included

Legal review of your privacy policy
DPIA authoring (separate engagement if needed)
Marketing-consent management platform (different problem, different tool)

Best fit

UK or EU businesses holding personal data on more than a few thousand individuals: SaaS, e-commerce, fintech, recruitment, healthtech. If you are already getting more than two requests a month, payback is immediate. If you are not yet, you will be soon, and the cheapest time to build this is before the volume hits.
Example work
$2,997