ZyLab + ArkCase + eDiscovery: A Privacy Management Solution to Solve CCPA/GDPR Challenges

ZyLab + ArkCase + eDiscovery: A Privacy Management Solution to Solve CCPA/GDPR Challenges

ZyLab ArkCase eDiscovery A Privacy Management Solution to Solve CCPA/GDPR Challenges

With the emergence of data privacy laws in the USA and European Union, companies are facing an uphill battle. The Data Subject Access Request’s legal framework poses strict rules on processing and responding to requests. Failing to respond to a DSAR can mean serious financial penalties.

Under the General Data Protection Regulation (GDPR) in the EU, and its US equivalent, the California Consumer Privacy Act (CCPA), non-compliance fines can be as high as 20 million Euros or 4% of annual global organization revenue. Under CCPA, noncompliance is not directly sanctioned, but it keeps the door open for violations and lawsuits.

Despite such large fines, according to Egress, only 30% of business respondents are in regulatory compliance, and only another 27% plan to do it in 2020. A recent ZyLAB survey points out that for 45.4% of those implementing the DSAR solution, the biggest challenge is to remain compliant in the future.

In this text, we will cover the DSAR compliance topic and propose several off-the-shelf technologies that can provide a reliable, scalable and most importantly, cost-effective DSAR solution.

The greatest DSAR compliance challenge 

The biggest DSAR compliance challenge

We live in a time of corporate data explosion. Digitally connected, we are creating a digital trail wherever we go, whatever we do. Our civilization’s digital footprint doubles every 18 months.

With the introduction of DSAR, from an undisputed source of wealth and business value, data is now a regulation problem that requires fundamental changes in organizational behavior.

GDPR and CCPA create a whole set of new obligations that organizations can’t ignore.

  1. Citizens can use“Right of Access” (GDPR) or “Right to Know” (CCPA) to request if an organization possesses some personal data about them.
  2. Citizens can use the “Right to be forgotten” (GDPR) or “Right to Delete” (CCPA) to demand deletion of all their personal data that the organization possesses. Data controllers are obligated to do it “without undue delay, which means in a one-month time frame.
  3. Organizations should follow specific data management regulations such as:
    Strict cybersecurity requirements (mandatory data encryption, data security measures, report of breaches, etc.).
    Data processing rules.
    Redact or pseudonymize all sensitive information when there is no regulatory need to collect, possess, manage, or use it.
  4. They must ask the user for prior consent before the user’s personal information is collected and stored.
  5. All data breaches must be reported, and all subjects whose data has been breached must be informed. Organizations have 72 hours from discovery to notify authorities and must keep all records about it. Also, data subjects must be notified “without undue delay” when breaches have affected their unencrypted personal data. The CCPA adopts the individual cause of action or class action versus organizations that fail to adopt reasonable security practices to prevent data breaches.
  6. All third-party integrations must be in regulatory compliance, and the organization should be able to demonstrate that.

As we see, regulatory compliance is not an option. It is an obligation.

From the perspective of DSAR, organizations need to have a scalable system to get these requests, process them quickly and respond on time. However, with a growing data footprint stored in disconnected data sources like emails, chat systems and physical correspondence, searching for each requestor’s data is a daunting challenge. Luckily, there are advanced search solutions that can handle this kind of workload.

ZyLAB’s eDiscovery: The silver bullet on the data train?



In its core, eDiscovery is the collection, processing, and indexing of disparate content so that it can be thoroughly reviewed and redacted. Heavily used in the legal sector, eDiscovery enables organizations to scour large sources of data for Personally Identifiable Information (PII)—lightning fast.

When an organization receives a DSAR, the challenge lies in tracking all data sources for specific details, usually personally identifiable information and other data about the requestor and the data holder. These requests can be simple to process, but as organizations grow, so does the complexity of these requests.

In two examples, organizations have reported staggering costs of processing complex SAR requests. The first is from Nursing and Midwifery Council in the UK. A single, heavily-redacted DSAR costed about $315,000 in processing costs and legal fees. In another case, Oxford University faced a $150,000 cost in order to respond to a single SAR request due to the University needing to process over half a million emails in order to respond to the requestor, Dr. Cécile Deer.

Without a software solution that can process digital data and find personally identifiable information of the requestor (all while masking other individuals’ PII), responding to SAR requests can be extremely expensive for organizations.

Therefore, an eDiscovery solution like ZyLAB ONE is good as a silver bullet for DSAR challenges. The process of finding any document in various locations, fast and on scale is essential for a reliable DSAR solution.

Without using eDiscovery, any DSAR solution would struggle with the search functionality, which is essential for timely DSAR processing.

eDiscovery is responsible for:

  • Locating and processing all relevant data across all repositories, e-mails, etc.
  • Redacting all personally identifiable information related to other individuals mentioned in the same content.
  • Collecting information directly from the relevant organization’s sources with true data integrity.
  • De-duplicating the information. With any DSAR search, the portion of duplicate documents can be up to 80%. Deduplication eliminates a huge portion of work, therefore speeding up the DSAR response time.
  • Automatically unpacking containers of files and making every component searchable.
  • Enriching non-searchable data such as scans, images, media files or unsearchable PDFs, so that all information can be searched and used.
  • Analyzing, classifying and organizing information for a quick and comprehensive review.
  • Using auto-redaction to anonymize or pseudonymize personal and confidential information. This is crucial for data transfer outside of the EU. While anonymization is a more robust solution, after redaction the data subject is no longer identifiable. With pseudonymization, data can no longer be attributed to a data subject. Additional information used to identify is kept separate and subject to technical and organizational security measures. Only when the identifiers are reunited with the core data will it be safeguarded like any other personal data. Otherwise, a non-attribution must be provided.
  • Automatically converting all electronic file formats to one standard format before redactions.
  • Detailed tracking and reporting provide a complete audit trail to prove requested personal data erasure.

These are the key features to solve the GDPR/CCPA bottleneck for finding any document across all locations in the organization. It’s important to note that not all eDiscovery solutions have all these features incorporated.

ZyLAB ONE’s AI-powered eDiscovery combines advanced search, text-mining, auto-classification, natural language processing (NLP) and machine learning. Using these procedures, ZyLAB ONE can cull information from archives to ascertain what information can be destroyed without harming the business, historical or legal need for that data.

ZyLAB ONE eDiscovery can scale out and manage search over large clusters of machines. Both indexing and searching can be distributed over as many machines as desired, and indexes can be centralized or distributed for better performance or robustness needs.

This results in almost unlimited scalability of the search engine. Depending on the hardware, ZyLAB can index multiple terabytes of data in a matter of just a few hours. At the same time, it maintains the ability to search faster than any other product for large queries containing positional operators, Boolean, quorum search, wildcards, and fuzzy matching (also at the beginning of words), complex regular expressions, parsing and tokenization flexibility.

Support functions like index checksums, monitoring index status tools, the environment status tool, and the current running status help in the control and maintenance.

Having a powerful eDiscovery component alone, however, isn’t enough for a solid DSAR solution. Organizations need to marry this search feature with a system that can capture DSAR requests, use workflows and automation to process these requests at-scale.

DSAR Management with the ArkCase Case Management Platform


ArkCase DSAR Solution

One of the hallmarks of DSAR requests management, other than being data-intensive, is that it has a relatively fixed workflow:

  • It all starts with a public portal where people can fill out a DSAR request.
  • Next, there is a mandatory identity verification to confirm that the requester is the data subject. Then, the request is queued for processing.
  • The processing has a fixed workflow of finding the data, deduplication, redaction, review, and delivery.
  • The data subject can respond with a deletion request that the company can respond with proof of deletion beyond recovery.
  • Lastly, the entire process from submission to closure should be auditable, meaning that at every stage of the workflow, log entries are recorded and stored securely.

Software solutions that are preconfigured with workflows and forms are also heavily used in medical and legal practices. These case management solutions enable organizations to automate repetitive tasks, streamline workflows, leverage collaboration and use the cloud for global yet secure access.

One of our favorite case management platforms is ArkCase. It is a modern, open-source case management platform that accelerates case processing time. Thanks to its flexibility, ArkCase offers many off-the-shelf solutions such as data privacy management, FOIA requests management, complaint management, correspondence management, legal case management, etc.

ArkCase is a robust platform that comes with a personalized dashboard, document management capabilities, collaboration, rules engine, configurable and pre-configured workflows, advanced search, reporting, calendaring, task management, multimedia search and is fully auditable. It is an open-source solution that is field-tested, cost-effective, and future proof.

  • Content/Records Management System
  • Robotic Process Automation (RPA)
  • Analytics
  • Correspondence Management
  • Modern eDiscovery

With these integrations, the ArkCase DSAR Solution claims a processing time savings of 60%.  Without the DSAR Solution, the cost of manually processing privacy requests is $1,400 per request.

With flexible licensing and pricing, ArkCase DSAR can be an excellent way to achieve full CCPA and GDPR compliance without breaking the budget.

Wrap-Up: The Combined Benefits Of ZyLAB ONE And ArkCase 


As a result of legal frameworks such as GDPR and CCPA, companies are facing an ever-growing amount of data disclosure requests governed by DSAR. Companies that gather and store a large volumes of user data will find it difficult to respond to these requests on time, even if all their data is digitally stored.

Finding all personally identifiable information related to the requestor, while redacting all other PII from other individuals mentioned in the requested documents, is a daunting task that cannot be solved with increasing the workforce alone. Therefore, organizations turn to scalable technologies like ZyLAB ONE and ArkCase. ZyLAB ONE provides a reliable and fast eDiscovery search, while ArkCase enables people to work optimally, one case at a time.

ZyLAB ONE eDiscovery has the most scalable and flexible architecture on the market. ZyLAB ONE easily handles large data volumes. The total system capacity can be scaled up by assigning as many virtual machines as needed to increase the computing capacity. As a SaaS-based eDiscovery solution, it is suitable for thin-client and remote work use, but it can also be implemented on-premise or hybrid.

ZyLAB ONE eDiscovery provides seamless integration for an efficient process without interruption. A flexible architecture “follows the wave of data” through the eDiscovery system during a project. Thanks to this flexible architecture, ZyLAB ONE provides a future-proof solution for processing large amounts of data, ensuring reliable eDiscovery functionality.

ArkCase is a FedRAMP Moderate open-source platform with a proven track record. As a cloud DSAR solution, it is suitable for thin-client use and remote work use, but it can also be implemented on-premise or hybrid. Federated Search is implemented as an information retrieval technology that allows the simultaneous search of multiple searchable resources.

Combined, the two provide a scalable DSAR solution that provides an organized, central location where all data is standardized and where all your Production Readiness Review (PRR) processes begin and end. A platform that gives control over data access, document review, redaction and the ability to request status at any point in time. All actions are documented and traceable preventing any possible litigation.

If you’re interested in finding out more details about how Armedia can help as a Solutions Integrator and solve your Data Privacy Management needs, contact us for a no-obligation consultation.


Why Every Enterprise Needs DSAR Software

Why Every Enterprise Needs DSAR Software

Laws like GDPR, CCPA, WPA, and others are springing up across the world giving citizens the right to request companies to disclose what personally identifiable information they store about the individual. For states, companies are required by law to respond to the submitted request within a day and they must to provide the requested information within a month. Scouring through petabytes of data for specific information can prove to be a challenge. Failing to respond on time can result in hefty fines, like in the Barnes v. Hanna Andersson case.

In this text, we’ll cover the six key steps in processing a Data Subject Access Rights (DSAR) request, what the main challenge is for each of these steps, and how DSAR software can make life easier for companies.

Step 1: DSAR Request Submission Portal

why every enterprise needs DSAR Software-DSAR Request Submission Portal

Companies should provide a DSAR Request Submission component linked to their corporate website where citizens can submit a DSAR form. This portal should be easy to use, secure, and if the portal supports creating and storing individual login credentials, tied with the login details of the person submitting the request.

The challenge in this first step is the ability of the company to capture the right information about the Requestor, so that the following steps are executed properly and on time. While this first step is not complex, people can easily mistype their name or their email or enter a different email address than the existing one in the system. This can cause problems later on as the request gets to next steps in the workflow.

An effective DSAR solution will have forms with field validations so that proper email formats are checked before submission. In some cases, form validation can go further and check for typographical errors. The benefit of form validation is that Requestors will ensure they are typing in the correct data, and when the form is behind an active login session, these fields can be pre-populated.

Step 2: Verification of Identity

why every enterprise needs Data Subject Access Requests Software-Verification of Identity

When companies receive a data subject request, the first step is confirming the identity of the person by matching that identity to the requested content.

The challenge is verifying the identity of the Requestor remotely and securely. Chances are, that some of your customers, employees, etc. may need to provide additional information beyond their name, surname, address, telephone number to include login ID, email, IP address, etc. to identified themselves more precisely. In some cases, companies may need to collect a dozen other details to precisely identify who is submitting the request, and what personal data the company keeps.

The benefit of a good DSAR software platform is enabling corporations to quickly and even automatically identify any additional information the Requestor needs to provide in order for a proper and definitive identification.  Automating this step is key in responding in a timely fashion and sending the right data to the right person within the 30-day timeframe.

Step 3: Searching for Personally Identifiable Information

why every enterprise needs DSAR Software-Searching for Personally Identifiable Information

As data storage becomes more and more affordable, companies are storing more of it. While this may be valuable for data-driven business decisions, each company’s vast data footprint is adding to the complexity of responding to DSAR requests.

The challenge: after a DSAR request has been successfully submitted, the DSAR software or with an integrated eDiscovery platform will need to search through all the repositories the company has, spread across different systems and potentially different locations to include SaaS based platforms. Companies may keep bits and pieces of personally identifiable data in dozens of locations:

  • ECM system databases
  • Office 365 / SharePoint folders
  • Email servers
  • Proprietary applications
  • CRM systems
  • Billing systems
  • Internal chat systems
  • External marketing platforms.

The solution will need to be able to securely connect to each of these data storage endpoints and quickly search through petabytes of data. These systems will need to be able to communicate via encrypted API endpoints at-scale, secured from interception or copying by hackers.

An effective DSAR solution makes all this possible. Without it, companies may not be able to respond to DSAR requests in a timely and a secure manner.

Step 4: Data Review and Approval

why every enterprise needs Data Subject Access Requests Software-Data Review and Approval

While companies can fully automate the data delivery, it is best if this data gets reviewed by a person before it is released to the Requestor. One risk is that a document may have PII about another individual that needs to be redacted.

The challenge of having the staff involved in DSAR review and approval is that people will need an intuitive user’s interface to do their job as well as assistive technology given the volume of information. In addition, the entire process needs to be audited so the organization knows how had access to the Requestor’s information.

The benefit of an integrated DSAR solution is the automation, collaboration, tracking, reporting and auditability.

Step 5: Timely Response

why every enterprise needs DSAR Software-Data Review and Approval

The key challenge of DSAR requests is that there is a strict deadline for companies to respond. Similar to Public Records / Privacy / FOIA requests where government have a statutory timeline to respond, companies have only 45 days to receive, verify, and respond to a DSAR request.

Even though many of these laws are fairly new, we already hear of lawsuits against companies who failed to respond properly and on time. Just recently we witnessed the Barnes v. Hanna Andersson case where Salesforce and Hanna Andersson LLC got fined for failing to comply with timely data disclosure under CCPA.

The benefit of using a DSAR application is that corporate staff will be able to follow these requests and get reminders of  deadlines. To help assist with complying with the timeline, an integrated DSAR solution that includes eDiscovery and potentially RPA is recommended.

Step 6: Data Editing or Deletion

why every enterprise needs DSAR Software-Data Editing or Deletion

Under DSAR legal frameworks like GDPR, CCPA, or WPA, data subjects can request deletion or editing of the stored data. Ideally, an integrated DSAR software solution will be able to store the data sources of each piece of PII, tie it to a specific DSAR request, and have the ability to send Delete and Update requests through a secure API connection.

The challenge is twofold here. First, the DSAR software will need a way to send an Edit or Delete command to the exact data location for each DSAR request. Second, this data management will have to be auditable.

This means that qualified DSAR software solutions will have the ability to integrate with disparate data sources and have the ability to quickly respond to any Requestor’s demand for editing or deleting of PII.

Ideally, the DSAR software solution will be able to have a two-way communication with storage endpoints and fulfill a Delete or Edit request. This will allow the DSAR to track the communication that the request was fulfill and by which systems.

The benefit of a reliable integrated DSAR solution is clear. Without a software solution, companies will have a hard time adhering to the law and proving that it was accomplished if litigation arose. There is an added benefit too. While companies may have internal best practices for data management, de-duplication, etc., it is still helpful to have a visual map of all the locations that contain privately identifiable information.

Auditing Capabilities

As we already mentioned, companies need to be able to track how each DSAR case is handled, from the moment of its creation to the moment it was successfully processed. Every action done by the staff, every API call done by the software to send requests and receive encrypted information from external sources, every alteration of any data endpoint needs to be thoroughly documented.

Capable DSAR software solutions should have this auditing capability. In cases where the DSAR solution is built with proper case management capabilities, auditing should not be a problem. Most case management platforms on the market have this built-in.

One such solution is ArkCase, an open-source case management platform. ArkCase is built with auditing capabilities out of the box. Any time an action is done on a case, there’s an audit entry with a timestamp and clear details of who did what and where. Companies can extract the timeline for every DSAR form. These reports can contain timestamps, people involved, data sources, staff activities, IP address and even the Requestor’s responses.


The Data Subject Access Requests initiative, covered with legal frameworks like GDPR, CCPA, WPA and other variants, are enabling citizens to approach private companies and request data disclosure. Companies, under CCPA, have to respond to the request and disclose all personally identifiable information within 45 days. Failure to comply could mean hefty fines, as Salesforce already experienced first-hand.

Because of the complexity of what qualifies as personally identifiable information and the vast amounts of data that companies store, DSAR software is quickly becoming a corporate necessity. The only way companies can scour through petabytes of data spread across internal and external databases in a timely manner is by relying on an integrated DSAR software.

In most cases, DSAR software uses the same mechanisms as case management solutions. The forms, workflows, and user roles can all be pre-built and ready to be used out of the box.

The ArkCase team has implemented a DSAR solution that can be integrated within enterprises to automate this process. The ArkCase DSAR solution is a reliable option for any size organization that need to be ready to respond efficiently and effectively to Requestors.

For more information on this subject, feel free to reach out to us via the Contact form, or using the Comments below. And, please help us raise awareness of the DSAR Software option by sharing this text with your social media connections.

Data Subject Access Requests (DSAR) Software: What Is It, Who Is It For, And Why Should You Care?

Data Subject Access Requests (DSAR) Software: What Is It, Who Is It For, And Why Should You Care?

Data Subject Access Requests (DSAR) Software

With recent legislation developments ensuring citizens’ rights to request their personal data that companies hold, companies are facing a turbulent future. Compliance is not optional. Now, the race is on. Citizens will be reaching out to companies, requesting disclosure. Companies need to adopt a software solution that enables fast and reliable personal data search and reporting.

What is DSAR?

The Data Subject Access Request policy basically states that citizens may request, under the General Data Protection Regulation (GDPR), that a data controller (business or other organization) disclose the requester’s personal data that the organization holds about them.

Companies need to respond in a defined time frame and provide the information to the requestor. Companies also need to be able to edit or delete personal data upon request from a citizen. To successfully fulfill these tasks, companies and organizations need reliable Data Subject Access Requests (DSAR) Software solutions that meet all the requirements set by the DSAR initiative.

Different countries have different interpretations of the DSAR policy, complicating an already daunting challenge of compliance.

It all starts from the EU General Data Protection Regulations (GDPR) which replaced the old 1995 data protection directive. It was published in May 2016 and went live on May 25, 2018.

In the United States, the closest GDPR equivalent is the California Consumer Privacy Act (CCPA) that became law on January 1, 2020. It is the first US-based consumer privacy regulation.

The state of Washington is currently working on legislation known as the Washington Privacy Act (WPA). The WPA regulation is stronger than CCPA and uses some GDPR concepts, therefore it is viewed as a leading example of consumer privacy regulation in the U.S.

There is obviously a movement towards nation-wide acceptance and formalization of the Data Subject Access Requests initiative, so citizens can claim ownership of their data, regardless of who holds this data.

Who gains from the DSAR and who are the stakeholders?Data Subject Access Requests (DSAR) Software

Clearly, the citizens are the main winners in this process; they gain new fundamental rights: personal data privacy and protection. Individuals get the right to ask companies and organizations to disclose what data they hold, and request further action such as editing, moving or deletion beyond recovery of that data.

Companies and organizations, also known as data controllers, must ensure that the Data Subject Access Request initiative really works. Companies and organizations are expected to deliver on DSAR. They will have to fulfill these new obligations by developing internal processes, workflows, and technologies that allow full compliance. Data controllers are expected to return a notice within 24 hours after receiving the data access, and they are expected to answer the data access request within a month after the request was submitted. Failure to comply can have legal ramifications and will also include fines

In some cases, data controllers can have external data processors who have the responsibility to handle these data access requests on behalf of the controllers. They should implement all measures needed to receive the request and respond to it in a timely, secure fashion.

While DSAR is a fairly straightforward high-level idea, the nuances are challenging. A citizen submits a to a company or organization, using their DSAR workflow processing software. The company’s staff receives this request. Then the controllers and data processors find all the data on that citizen and reply to the request. So-far, so-good.

However, receiving the request requires a more complex software that will help the organization verify that the requestor is the same person that would be the data-subject. Otherwise, the company would face the ramifications of disclosing personal information to third parties.

Then, the ability to pull all the data from all data sources, and combine it in a single report, is also challenging. If the data requester asks for data edits, the company should be able to send these data updates to the specific location, making DSAR not only a data retrieval but also a data modification process.

On top of that, this DSAR software would need to have auditing capabilities, which means strict user access level controls and logging of every single action that is taken around each case.

Why should you care about DSAR?

Compliance with these regulations is not optional. Companies and organizations must adhere to the DSAR initiative and the legal frameworks like GDPR, CCPA, and WPA.

Failure to comply will almost always result in fines. The Barnes v. Hanna Andersson case is the very first case for violations based on the CCPA. The minimum amount of that case damage is a million dollars. In just 30 days from the CCPA launch, this case was opened on February 3rd, 2020 against SalesForce and Hanna Andersson, LLC.

Fines from GDPR in Europe are an almost everyday occurrence, ranging from a few hundred euros to a 99 million pound fine against Marriott International Inc. for a data breach.

According to the latest Talend’s survey, only 42% of all companies and organizations were able to successfully respond to DSARs. According to a report by Gartner, the average cost to process a single DSAR request is $1400. Such a high fee implies that the process is manual and labor-intensive.

Companies and organizations are hard-pressed to process a growing number of DSAR requests under a threat of lawsuits and any company and organization storing personal data could be the next target.

The Microsoft Example: Preemptive DSAR Compliance

Data Subject Access Requests (DSAR) Software

Microsoft has chosen to deal with DSAR requirements proactively by implementing their DSAR software solution nationwide, not just in California.

One recent review of the 50 companies from the Fortune 500 list made by the Data Protection Report indicated that it will be much more difficult to differentiate users in California versus the entire U.S. The complexity will grow when all new state regulation initiatives are in place: New York Privacy Act (S5642), Massachusetts (SD 341), New Hampshire (HB 1680-FN), and Virginia (HB 473), for example.

Hopefully, federal unification of the regulations will happen quickly. The process to unify regulations is being addressed through the Online Privacy Act (H.R.4978) bill introduced in the US Congress, which includes a provision that users have the “right to choose how long data can be kept and opt-in consent for the use of data for A.I. algorithms.”

Next Steps: Tools of the trade

While the Data Subject Access Request framework is relatively new, it is still a process that can be automated to a large degree. Using existing technologies for business process management, data storage, form submission, document search and redaction can significantly simplify the process of becoming DSAR compliant, regardless of the local legal frameworks such as GDPR, CCPA, WPA, etc.

Here are just a few trusted technology providers who have been in the document management and case management industry. Companies don’t need to build an entirely new technology stack from the ground up to get a solid DSAR software.

Alfresco Digital Business Platform

Alfresco recently announced several changes to their software solutions according to GDPR and CCPA regulations. This makes the Alfresco platform a reliable DSAR Software solution:

Alfresco has updated its Alfresco Governance Services, introduced new Federation Services that enable ‘Manage in Place’ records management, enhanced its E-Discovery and ‘Legal Hold’ with Artificial Intelligence (AI), and added Governance to Desktop Synchronization.”

Here are a few key benefits that Alfresco brings on the market:

  1. Alfresco Federation Services enables users to perform a search through different business and content repository types from a single application with no need for content migration. Now they can search, view and manage information even from non-Alfresco repositories from a single user interface and take any action they like – place the data on hold or export it for further use in e-discovery or review tools. This is a so-called “Manage-in-Place” feature – a single point of access without migration.
  2. Alfresco Governance Services now has AI-powered e-Discovery. It eliminates the complexity of the “Legal Hold” process and speeds up e-discovery tasks. Now companies can process requests faster, even with information stored across geographical borders or different systems.
  3. Desktop Synchronization is now synchronizing not just the data through different repositories but also the data record management policies that are associated with that data. The predefined level of governance will remain associated with different repositories or user’s desktops.
  4. Automation of digital filing and detection of Personal Identifiable Information (PII) provides greater data security and protection in the DSAR process.

With Governance Services as a part of the open source Alfresco Digital Business Platform -the platform can serve as a part of a DSAR software solution.

ArkCase Open Source Case Management and DSAR Solution

If we see DASR software solutions from a workflows perspective, we can easily recognize that any data privacy request, at its base, is a new case. Creating, managing, tracking, and responding to these requests is similar to responding to any other case: legal, FOIA, complaint, etc.

Companies with experience in service request management solutions are developing and promoting DSAR software solutions. ArkCase is one of these DSAR software solutions.

ArkCase is an open source case management system that integrates with the industry leaders such as Alfresco, Content Server, Documentum, Mobius, Ephesoft, etc. With its modular open source platform, configuring specific workflows is fairly straightforward.

The ArkCase Data Request Management module provides a fully functional DSAR software solution out of the box.

For years, ArkCase has supported receiving, processing, tracking, and responding to requests for similar use cases, and has been optimized to support a DSAR application for fast, secure, reliable case management solution.

In ArkCase, editing forms and workflows use a low-code, drag-and-drop technology so that even non-technical staff can easily verify or adapt the functionality to their specific needs. It provides standard but customizable request forms and workflow solutions.

ArkCase can also be easily deployed in different environments in compliance with data storage and security regulations.


The DSAR initiative spawned legal frameworks like GDPR, CCPA, and WPA, and more regulations are in the works until a nation-wide data privacy law is enacted. Only one month after the CCPA law went into effect, there is already a major lawsuit based on its requirements.

Companies should follow the Microsoft example in erring on the side of caution and adopt a DSAR software solution as soon as possible. Luckily, established companies like, Alfresco and ArkCase have developed software solutions to address these regulations.

If you’re looking for a DSAR software solution, hopefully this post was helpful. For more information, don’t hesitate to write us or give us a call. Armedia has been supporting agencies and companies with their data management and case management needs as a solutions integrator. Feel free to give us a call for a no-obligation consultation.

In the meantime, don’t forget to share your opinions in the Comments section below, and share this blog post on social media.