Quick answers to your most pressing GDPR and DSAR questions, tailored for UK SMEs.
A **Data Subject Access Request (DSAR)** is a legal request under UK GDPR that allows an individual (data subject) to ask an organisation (data controller) if their personal data is being processed, and if so, to receive a copy of that data and supplementary information.
Yes, you must respond. Unless an exemption applies, you are legally required to respond to a DSAR **within one calendar month** of receiving the request. Failure to respond correctly or on time is a breach of GDPR and can lead to significant scrutiny and potential fines from the Information Commissioner's Office (ICO).
DSAR Helper is designed to track this critical 30-day window from the moment the request is logged.
Before you disclose any personal data, you must take **reasonable steps** to verify the identity of the person making the request. Releasing sensitive personal data to the wrong person is itself a serious data breach.
**Reasonable Steps include:** Asking for information you already hold (like a customer account number or date of birth) or, in high-risk cases, requesting a copy of an official document (ensuring the document is verified and then deleted).
DSAR Helper requires you to tick the **Identity Verified** box before you can start processing the data, ensuring this vital compliance step is never missed.
The DSAR response is not just the personal data itself; it requires supplementary information to be fully compliant. Your final PDF response must cover:
DSAR Helper's final generation step ensures all these elements are captured and included in the professional PDF output.