The EU GDPR (General Data Protection Regulation) grants individuals (data subjects) the right to access their personal data from data controllers so that they can understand how it is processed and make sure it is processed lawfully.
A request to access personal data is known as a DSAR (data subject access request).
Subject access requests are not new, but the GDPR introduced some changes that make responding to them more challenging.
For instance, organisations may no longer charge a fee, except in certain circumstances, and now have less time to respond.
Failure to respond to DSARs can leave organisations open to the higher level of administrative fines under the GDPR: €20 million or up to 4% of annual global turnover – whichever is greater.