n8n-flow

DSAR / data-subject-request intake triage with n8n

Difficulty

intermediate

Setup time

90min

For

legal-ops · privacy-counsel · dpo

Legal Ops

Stack

An n8n flow that receives data-subject requests (GDPR Art. 15-22, CCPA-CPRA §1798.100-105, equivalent under UK GDPR / LGPD / VCDPA) into a dedicated privacy@ inbox or web form, classifies them by type (access / deletion / rectification / portability / objection / restriction / automated-decision), routes them by jurisdiction to the right counsel, opens a tracking record with the response-deadline clock running, and dispatches a verification request to the data subject. Replaces the manual DSAR-intake spreadsheet that quietly misses the GDPR’s 1-month / CCPA’s 45-day deadlines.

When to use

The firm processes EU/UK personal data (GDPR / UK GDPR triggers) OR California personal information at the CCPA-CPRA threshold OR is subject to LGPD / VCDPA / CPA / CDPA equivalents.
Inbound DSARs are at a frequency where manual tracking starts slipping (usually >5 per month).
The firm has a data-subject-rights workflow defined — what counts as verification, who responds, what data sources to pull from. The flow is the orchestration; the workflow is the substance.

When NOT to use

Auto-responding to DSARs without counsel review. The flow opens the tracking record and verifies identity. The substantive response (data extracted, decision on scope, communication to the subject) is counsel’s call.
Bypassing the verification step. Auto-acting on an unverified DSAR is the most common DSAR failure mode — the request might be from someone other than the data subject, or might be a malicious request to extract another person’s data. The flow’s verification step is non-optional.
Replacing the underlying data-extraction work. The flow tracks; it does not extract data from systems. Each system the firm uses needs its own extraction path (manual or automated); the flow surfaces what to pull from where.
DSARs subject to specific industry rules (HIPAA medical-record requests, FERPA student-record requests, financial-record GLBA requests). Different verification and response procedures apply; this flow’s defaults are GDPR + CCPA-CPRA.

Setup

Import the flow from apps/web/public/artifacts/dsar-intake-triage-n8n/dsar-intake-triage-n8n.json.
Wire credentials. Five required: IMAP / Gmail (privacy@ inbox), Anthropic (Claude classification), Postgres (DSAR tracking table), SMTP (verification send), Slack (counsel notification).
Provision the tracking table. Schema in _README.md — keyed on dsar_id, capturing receipt timestamp, jurisdiction, request type, deadline, status.
Author the verification template. Per jurisdiction (GDPR vs CCPA-CPRA have different verification standards), write a template under n8n/data/verification/<jurisdiction>.md.
Configure routing. Per-jurisdiction counsel routing (EU → DPO, US → privacy counsel, etc.) and per-request-type routing (access vs deletion goes to different paths).
Dry-run on closed DSARs. Replay last quarter’s DSARs (with subject identities anonymized). Confirm classification and routing match what the privacy counsel actually did.

What the flow does

Six nodes. Classification before routing because routing depends on the classification.

Inbox Poll / Webhook — polls the privacy@ inbox every 5 minutes OR receives webhooks from a privacy-rights web form. Pulls subject, body, sender, timestamp.
Classify — Claude call. Returns {request_type, jurisdiction, subject_email, urgency_signal, malicious_signal}. The malicious_signal is non-zero on patterns like “I am the lawyer for X” or “this is for litigation discovery” — those route differently and don’t follow the consumer DSAR path.
Open Tracking Record — INSERT into the DSAR table with deadline computed from jurisdiction (GDPR: 1 month from receipt; CCPA-CPRA: 45 days from receipt; etc.).
Send Verification Request — sends a verification email to the data subject with the per-jurisdiction template. The verification asks for proof of identity sufficient to act on a DSAR — what counts varies by jurisdiction (GDPR is “necessary and proportionate”; CCPA-CPRA requires verifying to a “reasonable degree of certainty”).
Notify Counsel — Slack DM to the routed counsel with: classification, jurisdiction, deadline countdown, link to the tracking record. The counsel’s job from here is to oversee data-extraction and the substantive response.
Audit Append — one row per DSAR per intake to the audit table.

Cost reality

LLM tokens — typically 2-4k input + 0.5-1k output per DSAR. ~$0.02-0.04 per request. Negligible.
n8n execution count — ~5-15/day on average mid-size firm; well within Starter plan.
Counsel time — the win is on the tracking-and-deadline burden, not the substantive work. Manual deadline tracking costs ~30 minutes per DSAR weekly; flow operation surfaces issues at intake and frees the counsel time for the response.

Success metric

Deadline hit rate — share of DSARs responded to within the legal deadline. Should be 100%; below that the firm is exposed to GDPR Art. 83 fines (4% global revenue ceiling for systematic failure) and CCPA-CPRA enforcement.
Verification round-trip time — should drop to under 24 hours from intake (verification email goes immediately on receipt).
Misclassification rate at counsel review — share of DSARs the counsel reclassifies. Should be under 10%; above that, the classification prompt or the routing table needs tuning.

vs alternatives

vs OneTrust / TrustArc / Securiti DSAR modules. Those products handle DSAR end-to-end including system-extraction integrations. Pick them for high-volume firms or firms needing the full privacy-program platform. The flow is the lightweight middle ground.
vs Excel + Outlook rules. The default and the source of missed deadlines.
vs counsel reviews every intake email. Workable at very low volume; the flow earns its setup cost beyond ~5 DSARs/month.

Watch-outs

Classification on borderline requests. Guard: urgency_signal and malicious_signal are surfaced as confidence bands; ambiguous classifications route to the privacy counsel for re-classification rather than guessing.
Verification standard drift. Guard: per-jurisdiction templates pin the verification standard. EU verification asks less than CCPA-CPRA verification.
Identity-spoofing as the requester. Guard: the verification email goes to the email on file (where applicable) — not to the email the request came from. If the request comes from [email protected] claiming to be [email protected], the verification reaches [email protected].
Cross-jurisdiction routing miss. Guard: requests with multiple plausible jurisdictions route to ALL applicable counsel, not the first match. The substantive response selects the controlling jurisdiction.
Deadline calendar miscalculation. Guard: deadline math runs in the workflow’s timezone; the audit log captures the deadline timestamp explicitly so a counsel can verify against the firm’s calendar.
Storage of unverified DSAR data. Guard: the tracking record stores subject-email and request type only until verification clears; full request body is not propagated to systems beyond the audit log until verification confirms.

Stack

The bundle lives at apps/web/public/artifacts/dsar-intake-triage-n8n/:

dsar-intake-triage-n8n.json — the flow export
_README.md — schema, credentials, jurisdiction templates

Tools: n8n, Claude, Slack.

Edit this page on GitHub

Files in this artifact

Download all (.zip)

# DSAR intake triage — n8n flow

Receives data-subject requests, classifies them with Claude, opens a tracking record with the response-deadline clock, dispatches a verification request to the data subject, and notifies privacy counsel via Slack.

## Import

1. Import `dsar-intake-triage-n8n.json` into n8n.
2. Provision the tracking table (DDL below).
3. Wire credentials.
4. Author per-jurisdiction verification templates.
5. Dry-run on closed DSARs before enabling.

## DSAR tracking table

```sql
CREATE TABLE dsar_tracking (
dsar_id TEXT PRIMARY KEY,
received_at TIMESTAMPTZ NOT NULL,
request_type TEXT NOT NULL,
jurisdiction TEXT NOT NULL,
subject_email_claimed TEXT NOT NULL,
sender_email TEXT NOT NULL,
urgency_signal TEXT NOT NULL CHECK (urgency_signal IN ('low','medium','high')),
malicious_signal TEXT NOT NULL CHECK (malicious_signal IN ('low','medium','high')),
deadline TIMESTAMPTZ NOT NULL,
status TEXT NOT NULL CHECK (status IN (
'pending_verification', 'verified', 'in_progress', 'responded',
'denied_unverified', 'denied_invalid', 'closed_not_me'
)),
raw_subject TEXT,
raw_snippet TEXT, -- truncated to 1000 chars
verified_at TIMESTAMPTZ,
responded_at TIMESTAMPTZ,
response_outcome TEXT,
counsel_owner TEXT,
notes TEXT
);

CREATE INDEX dsar_deadline_idx ON dsar_tracking (deadline) WHERE status NOT IN ('responded', 'denied_unverified', 'denied_invalid', 'closed_not_me');
CREATE INDEX dsar_jurisdiction_idx ON dsar_tracking (jurisdiction);
```

A separate audit table (append-only, similar to the litigation-hold audit pattern) records every state transition. Counsel needs the audit chain for regulator inquiries.

## Credentials

- `PLACEHOLDER_GMAIL_PRIVACY_CRED_ID` — read access to `privacy@` mailbox. Use a dedicated mailbox, not a person's inbox.
- `PLACEHOLDER_ANTHROPIC_CRED_ID` — Anthropic API key. Sonnet 4.6 model.
- `PLACEHOLDER_DSAR_DB_CRED_ID` — write access to the tracking table.
- `PLACEHOLDER_SMTP_CRED_ID` — firm mail relay (NOT third-party SaaS — DSARs may flag the existence of personal data the firm holds, which is itself sensitive).
- `PLACEHOLDER_SLACK_CRED_ID` — `chat:write` scope, bot in `#privacy-counsel`.

## Per-jurisdiction verification templates

Save under `n8n/data/verification/<jurisdiction>.md`. The flow's `Send Verification` node reads the template per the classified jurisdiction.

### EU GDPR / UK GDPR

GDPR Art. 12(6) allows requesting "additional information necessary to confirm the identity of the data subject." Standard is "necessary and proportionate." For most consumer DSARs:

> Please reply with a copy (redacted as appropriate) of a government-issued identification, OR confirm three pieces of personal information you provided to the firm in the past two years (e.g. an order reference, the date you created an account, the email used at signup).

### CCPA-CPRA

CCPA Regulations §7060 require verifying to a "reasonable degree of certainty." For most consumer DSARs:

> Please reply with a copy of a government-issued identification, OR confirm three pieces of personal information that match what we hold on you (e.g. account email, order reference number, and a billing zip code).

### LGPD

LGPD Art. 18 §5 allows verification but doesn't specify standard. Brazilian ANPD guidance suggests proportionality similar to GDPR.

### Customizing per jurisdiction

Each template should:

- Name the legal basis for verification (cite the article).
- State what verification information is sufficient.
- State the consequence of non-verification (no action taken, request closed).
- Reference the response deadline so the data subject understands the clock.

## Dry-run procedure

1. Provision the tracking table and audit table on a non-production DB.
2. Wire credentials to staging endpoints.
3. Forward a sample of historic DSARs to a test inbox the flow polls.
4. Confirm: classification matches counsel's reading; deadline computed correctly; verification template fits jurisdiction; Slack notification reaches `#privacy-counsel`.
5. Switch to production credentials.

## Known limits

- Web-form intake (the alternative to email intake) needs a separate webhook node feeding the same `Classify` step. Not bundled.
- The flow doesn't handle the substantive response — that's counsel's work, supported by a separate data-extraction process per system.
- Reminders to counsel as deadlines approach are a separate cron workflow (similar pattern to the litigation-hold tracker). Not bundled.
- Verification-receipt tracking (when the subject replies with their verification) requires a separate webhook + state-transition workflow. Not bundled.
- The flow does not implement DSAR rate-limiting; abusive request patterns from a single sender are surfaced via the `malicious_signal` flag but the counsel decides how to respond.

## What to do when the malicious_signal is high

Examples that would trigger high `malicious_signal`:

- Sender claims to be a lawyer requesting another person's data (this is a discovery request, not a DSAR — different process).
- Request asks for data on a named third party.
- Request mentions impending litigation.

The counsel reviews. Common dispositions:

- Litigation-related: route to outside counsel, treat as discovery not DSAR.
- Lawyer-on-behalf-of: verify lawyer's authority to act for the data subject (power of attorney, written authorization).
- Attempt to extract third-party data: deny and document the denial (regulators may want to see how the firm handled spoofing attempts).

{
  "name": "DSAR intake triage",
  "nodes": [
    {
      "parameters": {
        "pollTimes": { "item": [{ "mode": "everyMinute", "minute": 5 }] },
        "filters": {
          "labelIds": ["INBOX"],
          "q": "in:inbox -from:me -label:dsar-processed newer_than:1d"
        },
        "options": { "downloadAttachments": false }
      },
      "id": "5a5a5a5a-0001-0000-0000-000000000001",
      "name": "Privacy Inbox Poll",
      "type": "n8n-nodes-base.gmailTrigger",
      "typeVersion": 1.2,
      "position": [240, 400],
      "credentials": {
        "gmailOAuth2": {
          "id": "PLACEHOLDER_GMAIL_PRIVACY_CRED_ID",
          "name": "Gmail — privacy@ inbox"
        }
      },
      "notesInFlow": true,
      "notes": "Polls the dedicated privacy@ inbox every 5 minutes. Replace with IMAP / Outlook node if mail lives elsewhere. Web-form intake adds a parallel webhook node feeding the same Classify step."
    },
    {
      "parameters": {
        "method": "POST",
        "url": "https://api.anthropic.com/v1/messages",
        "sendHeaders": true,
        "headerParameters": {
          "parameters": [
            { "name": "Content-Type", "value": "application/json" },
            { "name": "x-api-key", "value": "={{ $credentials.anthropicApi.apiKey }}" },
            { "name": "anthropic-version", "value": "2023-06-01" }
          ]
        },
        "sendBody": true,
        "specifyBody": "json",
        "jsonBody": "={\n  \"model\": \"claude-sonnet-4-6\",\n  \"max_tokens\": 700,\n  \"system\": \"You are a DSAR classifier. Take the email subject and body. Return ONLY valid JSON with these keys: request_type (one of: access, deletion, rectification, portability, objection, restriction, automated_decision, unclear), jurisdiction (one of: EU-GDPR, UK-GDPR, CCPA-CPRA, LGPD, VCDPA, CDPA, CPA, other, unclear), subject_email (the email address of the data subject — usually the sender, but check the body for an explicit identification), urgency_signal (low, medium, high — high if the request mentions a regulatory complaint, lawyer, or specific deadline), malicious_signal (low, medium, high — high if the request claims to be from a lawyer, mentions litigation discovery, or asks for another person's data). Do NOT return prose; only the JSON object.\",\n  \"messages\": [\n    { \"role\": \"user\", \"content\": \"Subject: {{ $json.subject }}\\nFrom: {{ $json.from }}\\n\\nBody:\\n{{ $json.snippet }}\" }\n  ]\n}",
        "options": {
          "response": { "response": { "responseFormat": "json" } },
          "timeout": 30000
        }
      },
      "id": "5a5a5a5a-0001-0000-0000-000000000002",
      "name": "Classify",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [460, 400],
      "credentials": {
        "anthropicApi": {
          "id": "PLACEHOLDER_ANTHROPIC_CRED_ID",
          "name": "Anthropic API key"
        }
      }
    },
    {
      "parameters": {
        "jsCode": "// Parse Claude classification, compute deadline, prepare DB insert.\nconst llm = $input.first().json;\nconst inbox = $('Privacy Inbox Poll').item.json;\nconst text = llm.content?.[0]?.text || '';\n\nlet cls;\ntry {\n  cls = JSON.parse(text.match(/\\{[\\s\\S]*\\}/)[0]);\n} catch (e) {\n  cls = { request_type: 'unclear', jurisdiction: 'unclear', subject_email: inbox.from, urgency_signal: 'medium', malicious_signal: 'medium' };\n}\n\n// Deadline math per jurisdiction.\nconst DEADLINE_DAYS = {\n  'EU-GDPR': 30,\n  'UK-GDPR': 30,\n  'CCPA-CPRA': 45,\n  'LGPD': 15,\n  'VCDPA': 45,\n  'CDPA': 45,\n  'CPA': 45,\n  'other': 30,  // conservative default\n  'unclear': 30,\n};\nconst days = DEADLINE_DAYS[cls.jurisdiction] || 30;\nconst now = new Date();\nconst deadline = new Date(now.getTime() + days * 86400 * 1000);\n\nreturn [{\n  json: {\n    dsar_id: `dsar-${now.getTime()}-${Math.random().toString(36).slice(2, 8)}`,\n    received_at: now.toISOString(),\n    request_type: cls.request_type,\n    jurisdiction: cls.jurisdiction,\n    subject_email_claimed: cls.subject_email,\n    sender_email: inbox.from,\n    urgency_signal: cls.urgency_signal,\n    malicious_signal: cls.malicious_signal,\n    deadline: deadline.toISOString(),\n    deadline_days: days,\n    raw_subject: inbox.subject,\n    raw_snippet: (inbox.snippet || '').slice(0, 1000),\n    status: 'pending_verification',\n  }\n}];"
      },
      "id": "5a5a5a5a-0001-0000-0000-000000000003",
      "name": "Compute Deadline",
      "type": "n8n-nodes-base.code",
      "typeVersion": 2,
      "position": [680, 400]
    },
    {
      "parameters": {
        "operation": "insert",
        "schema": "public",
        "table": "dsar_tracking",
        "columns": "dsar_id, received_at, request_type, jurisdiction, subject_email_claimed, sender_email, urgency_signal, malicious_signal, deadline, status, raw_subject",
        "additionalFields": {}
      },
      "id": "5a5a5a5a-0001-0000-0000-000000000004",
      "name": "Open Tracking Record",
      "type": "n8n-nodes-base.postgres",
      "typeVersion": 2.4,
      "position": [900, 400],
      "credentials": {
        "postgres": {
          "id": "PLACEHOLDER_DSAR_DB_CRED_ID",
          "name": "Postgres — DSAR tracking"
        }
      }
    },
    {
      "parameters": {
        "fromEmail": "={{ $env.PRIVACY_FROM_EMAIL }}",
        "toEmail": "={{ $('Compute Deadline').item.json.subject_email_claimed }}",
        "subject": "Verification required for your data-subject request — Ref {{ $('Compute Deadline').item.json.dsar_id }}",
        "emailFormat": "text",
        "text": "Hello,\n\nWe received a data-subject request from your email address (or from someone claiming to act on your behalf). To act on this request, applicable law requires us to verify your identity.\n\nReference: {{ $('Compute Deadline').item.json.dsar_id }}\nReceived: {{ $('Compute Deadline').item.json.received_at }}\nDeadline for our response (assuming verification clears within 7 days): {{ $('Compute Deadline').item.json.deadline }}\n\nTo verify, please reply to this email with [jurisdiction-appropriate verification — e.g. for CCPA-CPRA: confirmation of three pieces of personal information we hold on you; for GDPR: a description of the data you are requesting access to and confirmation of your residency status]. See attached template for jurisdiction details.\n\nIf you did not make this request, please reply to this email with 'Not me' and we will close the request without taking action.\n\nThe firm's privacy team",
        "options": {}
      },
      "id": "5a5a5a5a-0001-0000-0000-000000000005",
      "name": "Send Verification",
      "type": "n8n-nodes-base.emailSend",
      "typeVersion": 2.1,
      "position": [1120, 320],
      "credentials": {
        "smtp": {
          "id": "PLACEHOLDER_SMTP_CRED_ID",
          "name": "SMTP — firm mail relay"
        }
      },
      "notesInFlow": true,
      "notes": "Verification goes to the CLAIMED subject email (which classify pulled from the body OR defaulted to sender). If sender ≠ claimed-subject, the verification reaches the alleged subject — protecting against spoofing."
    },
    {
      "parameters": {
        "method": "POST",
        "url": "https://slack.com/api/chat.postMessage",
        "authentication": "predefinedCredentialType",
        "nodeCredentialType": "slackApi",
        "sendBody": true,
        "specifyBody": "json",
        "jsonBody": "={\n  \"channel\": \"#privacy-counsel\",\n  \"text\": \"DSAR intake — {{ $('Compute Deadline').item.json.dsar_id }}\",\n  \"blocks\": [\n    { \"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \"*New DSAR — {{ $('Compute Deadline').item.json.dsar_id }}*\\n*Type:* {{ $('Compute Deadline').item.json.request_type }} · *Jurisdiction:* {{ $('Compute Deadline').item.json.jurisdiction }}\\n*Deadline:* {{ $('Compute Deadline').item.json.deadline }} ({{ $('Compute Deadline').item.json.deadline_days }} days from receipt)\\n*Urgency:* {{ $('Compute Deadline').item.json.urgency_signal }} · *Malicious-signal:* {{ $('Compute Deadline').item.json.malicious_signal }}\\n*Status:* pending_verification — verification email sent\" } }\n  ]\n}",
        "options": {}
      },
      "id": "5a5a5a5a-0001-0000-0000-000000000006",
      "name": "Notify Counsel",
      "type": "n8n-nodes-base.httpRequest",
      "typeVersion": 4.2,
      "position": [1120, 480],
      "credentials": {
        "slackApi": {
          "id": "PLACEHOLDER_SLACK_CRED_ID",
          "name": "Slack bot token (chat:write)"
        }
      }
    }
  ],
  "connections": {
    "Privacy Inbox Poll": { "main": [[{ "node": "Classify", "type": "main", "index": 0 }]] },
    "Classify": { "main": [[{ "node": "Compute Deadline", "type": "main", "index": 0 }]] },
    "Compute Deadline": { "main": [[{ "node": "Open Tracking Record", "type": "main", "index": 0 }]] },
    "Open Tracking Record": {
      "main": [
        [
          { "node": "Send Verification", "type": "main", "index": 0 },
          { "node": "Notify Counsel", "type": "main", "index": 0 }
        ]
      ]
    }
  },
  "settings": {
    "executionOrder": "v1",
    "timezone": "UTC",
    "saveExecutionProgress": true,
    "saveManualExecutions": true
  },
  "active": false,
  "versionId": "1"
}