How did your team operationalize DSAR response SLAs under GDPR Art. 12(3)?

We're tightening our DSAR pipeline and hit a gap between the legal requirement (1-month response, extendable to 3) and our operational reality — legal review alone takes 2-3 weeks for complex cases involving cross-system data discovery. Jurisdiction: DE, EU Curious how other teams structured the handoff between automated data mapping and legal sign-off. Did you invest in a DSAR case management tool or build on existing ticketing? What's your realistic p50/p95 turnaround? Note: this is peer experience sharing, not a request for legal advice.