It's now over two years to the month since the biggest change in data protection law for a generation.

A great deal changed when the General Data Protection Regulation (GDPR) came into force, with many headlines written about the maximum fines (the greater of €20 million and 4% of turnover) which could be levied by data protection authorities (such as the UK's Information Commissioner's Office (ICO)) for failure to prevent data breaches. However, many of the changes were an evolution rather than a revolution of the old regime. One such example is the amendments which were made to the data subject access request (DSAR) regime.

Those people whose personal data students' unions process, known as data subjects, have long had a right to request a copy of the information that is held about them by their Students’ Union (SU).  This will include employees, officers, student members and others with whom the SU interacts. However, the GDPR increased data subjects’ awareness of their rights under data protection law and made some tweaks to the DSAR regime which has resulted in increases in the number of DSARs submitted against organisations.

In light of this, and also given DSARs are notoriously time and resource consuming to manage, below we’ve set out a quick-fire Q&A to help SUs identify DSARs and some key pointers on how they might be managed.