DSARs do not have to be made in writing.
A DSAR can be made by letter, email, text, by telephone or simply by an individual walking in to your reception area and asking for all the information that you hold on that person. In such situations, what is the very first thing that you should do? The answer is really quite obvious, but is often overlooked. The very first thing to be done is to verify the identity of the person making the DSAR which is, perhaps, more difficult than it sounds particularly if the DSAR is made in any form other than in person. Failure to take proper measures to identify the person making the DSAR could very well result in the very thing that the GDPR is designed to prevent, namely the release of personal data to someone who is not entitled to it. To wrongly release personal data in this way would be a serious breach of the GDPR and would render your organisation liable to pay a substantial fine, not to mention the damage it would likely cause to your reputation.
If you require help or guidance on this or any other issue relating to data protection please contact John Devlin at firstname.lastname@example.org or telephone on 01635 580858.