Extract from Dina Khemlani Hetherington’s article “A DSAR Just Landed in Your Inbox. Now What?”
A practical guide for founders and SME owners
You are a founder or an SME owner. You have customers, staff, maybe some contractors. You have a privacy policy somewhere — probably the one your web developer put up when they built the site.
Then one morning an email arrives. It might say something like: “Please send me all the personal information you hold about me.” It might not even use the words “data subject access request.” It might just say: “I want to know what data you have on me.”
That email is a DSAR — a data subject access request — and the clock starts the moment it lands.
What is a DSAR and who sends them?
Under the UK GDPR and the Data Protection Act 2018, any individual whose personal data you process has the right to ask for a copy of it. That individual is called a data subject, which in practice means any of your customers, former customers, job applicants, current employees, former employees, or business contacts.
