There are 9 references in the GDPR relating to DSAR (right of access): Recital 63 P14 Data subject right of access to personal data, Article 15 P45 Right of access by the data subject, Article 16 P45 Right to rectification, Article 17 P45-P46 Right to erasure (‘right to be forgotten’), Article 18 P46-P47 Right to restriction of processing, Article 19 P47 Notification obligation regarding rectification or erasure of personal data or restriction of processing, Article 20 P47 Right to data portability, Article 21 P47-P48 Right to object, and Article 22 P48 Automated individual decision making including profiling. A DSAR or right of access, is referred to as a data subject having access to their information. DSAR gives all individuals including employees the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully within the privacy regulations you have to abide by. A data subject/individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of another data subject/individual with the correct authorisation). It is extremely important that you establish whether the information requested falls within the definition of personal data and act accordingly. Whatever the outcome, you must communicate with the data subject/individual. In most cases you cannot charge a fee when you receive a DSAR. However, you can charge a “reasonable fee” for the administrative costs of complying with the request if it is manifestly unfounded or excessive or a data subject/individual requests further copies of their data following a request. You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee. Alternatively, you can refuse to comply with a manifestly unfounded or excessive request. You must comply with a request within one month of receipt of the request. By ignoring a DSAR, you risk suffering up to 7 damaging consequences when you refuse to act on a data breach, no matter the type or size of your business: #1 Financial Loss, #2 Reputational Damage, #3 Operational Downtime, #4 Legal Action, #5 Loss of Personal Data, #6 Bankruptcy and #7 Personal Liability and/or Prosecution. Monitor all your DSAR below and action them accordingly. As a member of GDPA, we are here to assist should you with your DSAR.