DSAR automation at scale — balancing Art. 12(3) deadlines with data discovery

Our team handles ~200 DSARs/month across 12 business systems. The GDPR Art. 12(3) one-month deadline is tight when some of those systems are legacy databases with no structured data export and three are SaaS tools where you file a support ticket and wait. We built an internal orchestration layer that tracks DSAR lifecycle and auto-escalates when a system hasn't responded within 20 days. But the hardest part is still the initial data discovery phase — figuring out what data exists where, especially for unstructured stores (email archives, Slack exports, shared drives). How did other teams operationalize the discovery phase? Did you go with a centralized privacy inbox + per-system data maps, or did you invest in automated data classification first? What's your experience with DPIAs feeding into DSAR workflows — do you actually maintain that mapping, or does it go stale? Jurisdiction: EU/DE — our supervisory authority (LfDI Bayern) has been asking about DSAR processing times in our last audit.