GDPR Subject Access Request: Authentication must not be neglected
In 2018, as the May 25th enactment date for the GDPR loomed large, businesses across Europe scrambled to bring their data privacy practices into line with the new law. Inevitably, scores of companies were fined for failing to comply.
Now, after almost 12 months of EU residents exercising their new rights, GDPR compliance has been integrated into the policies and practices of most European companies. But not all. Many companies were, and still are, unprepared for the tidal wave of consumers exercising their rights under the new regulation.
Under the GDPR, EU residents can submit a Subject Access Request (SAR) to a company, to establish whether it is collecting and/or processing their personal information, and whether such data has been shared with a third-party. If personal information has been shared, the names of the third-parties must also be disclosed.
But these are only a few of the questions that the “data subject” can legaly demand answers to. Once the SAR has been received by the company concerned, it must comply and formally respond within 30 days.
Dealing with SARs can often be a frustrating issue for data controllers, as they struggle to keep up with large numbers of requests, largely from customers:
- What constitutes a SAR?
The GDPR empowers the individual (“data subject”) to make a request, in any way he or she deems appropriate. This could be a handwritten letter, a phone call, or digitally such as an email or tweet. Since there is no standard ‘vehicle’ it can sometimes be difficult to identify and segment SARs in a scalable way. Businesses run the risk of not being able to respond within the statutory 30 days, or failing to take any action at all.
- Retrieval of requested data to accurately respond to queries raised in the SARs.
According to increasing numbers of compliance practitioners, spending a disproportionate amount of time and resources on responding to SARs is totally illogical in the long term. Indeed, several organisations have sought clearer regulatory guidance on whether they can legitimately charge customers for SARs which they deem excessive.
- Authenticating the requestor’s identity.
Make no mistake, there can be disastrous consequences for any organisation that discloses personal information, without authenticating the identity of the individual claiming to be the data subject. To process a fraudulent SAR, then to disclose personal information to a fraudster undermines the entire concept of the GDPR. Businesses must ensure that the person who has submitted the SAR is not posing as the data subject, with the intention of stealing their personal information.
Authenticating individuals’ identities
There are often cases where individuals making the Subject Access Request cannot be authenticated using the information held by the data controller. Inevitably, there will be situations in which an individual has either forgotten their login details, or no longer have access to the email they originally used to set up their account. In such circumstances, companies may consider a risk-based approach, in order to determine whether the person making the SAR is indeed the data subject concerned.
Looking back over the last year, it could be fair to say that, as businesses scrambled to implement policies and procedures to become GDPR complaint, the vital ingredient of verification got swept under the carpet, as other “more pressing” updates to data protection practices were applied.
So, with the first anniversary of the GDPR approaches, the important task of authenticating the identity of individuals making Subject Access Requests can no longer be neglected.