Subject Access Requests (SARs) under the GDPR

Now is the time to tighten up your identity verification methods. Without tight verification methods, you open yourself up to GDPR regulators and you put your customers at risk of being a victim of fraud.

Individuals Can Request Access to Their Personal Data

Article 15 of the GDPR gives individuals a “right of access” to their personal data, under which they can request specifics about the personal data a business holds about them, or the organization’s purpose for processing the data, the categories of personal data held, who has access to the data, whether or not it will be transferred outside of the EU, how long it is being stored, if there are any automated decision processes regarding the data, and more.

Data controllers are further obligated in Article 20 to provide this data to data subjects within one month of receiving the request. The information must also be provided for free, though an administrative fee may be charged if the request is deemed excessive or unreasonable.

A critical step in complying with this requirement under the GDPR is verifying the identity of an individual making a subject access request so as not to inadvertently disclose personal data to the wrong individual (which would constitute a breach under the regulation).

Thorough Identity Verification is Essential Before Responding to SARs

A few security researchers recently demonstrated how, using easily accessible categories of personal information such as full name, email address and phone number, hackers or other malicious actors could use SARs to gain access to a wealth of personal information on their targets. Each newly acquired set of data allowed the researchers to impersonate their target to access further information from unsuspecting companies. Thanks to the SARs made using the information they gained, researchers were able to acquire their target’s Social Security Number, date of birth, mother’s maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and learn whether she had ever been a user of online dating services. This is a gold mine for fraudsters who can easily recreate a person’s online identity using this information.

According to the study, 25 percent of companies who responded to the SARs provided sensitive data without properly verifying the identity of the sender, while another 15 percent requested data that could have easily been forged.

Finding Balance Between Identity Verification Systems and Ease of Access

Companies are in a difficult position when it comes to identifying illegitimate SARs. They will be expected to have robust identity verification systems in place to prevent falling prey to these kinds of attacks. On the other hand, companies also have to avoid being penalized for either making the request process too burdensome for the data subjects or for collecting excessive amounts of personal data just for the authentication itself.

Unfortunately, there is a dearth of existing guidance from data protection authorities on recommended identity verification procedures beyond a recommendation of “proportionality.” Some existing industry-recognized standards, which are widely available, such as that of NIST’s digital identity guidelines can help companies to apply state-of-the-art methods of identification, authentication, and authorization, but it is likely that we will see more instances of security incidents resulting from lack of appropriate identity verification practices by organizations receiving SARs.

For your business, you should be in compliance as long as you have a valid identity verification system in place that follows the industry standards. A data incident involving SARs can be a huge red flag to regulators, which could put your entire company under a microscope.

Contact us if you have questions about GDPR compliance, data management, or SARs. We can help you build both a system and a culture of data protection to keep your data safe.