GDPR Subject Access Request: Authentication Cannot Be an Afterthought

How are businesses dealing with privacy complaints under GDPR?

As the deadline approached last year, companies scrambled to update their data protection practices. As it happened, some companies did get fined for non-compliance. Following a long period of adjustment, however, GDPR requirements have become normalised into existing compliance programs.

What many companies were ill-prepared for was the onslaught of consumers exercising their rights under the new regime. Under GDPR, a consumer can file a Subject Access Request (SAR) with an organisation to determine if that organisation is processing personal data concerning him or her, and, if the information has been shared, along with the names of the parties with which it has been shared.

In fact, these are only but a few of the searching questions that the user, as the data subject, can demand answers to. Further, once the SAR has been dispatched to the organisation, it is legally obligated to comply with the request, retrieve the information, and formally respond to the data subject – all within a month.

Subject Access Request

SARs have become a vexing issue for data controllers as they try to cope with the glut of requests by customers. A number of factors are responsible for this:

Firstly, there’s no easy way of determining what constitutes a SAR; the regulation empowers the data subject to make a request in the way he or she deems fit – this can be either a handwritten request, a verbal communication or a digital one, ranging from emails to tweets. Given this lack of structure and standardisation, it’s difficult to identify and segment SARs in a scalable way. Organisations are, thus, at risk of being unable to respond to them on time, or failing to take action altogether.

Secondly, retrieving the requested data to accurately answer questions raised in the SARs, are already proving to be burdensome. In fact, there seems to be growing concern amongst compliance professionals that expending a disproportionate amount of resources toward responding to SARs is untenable in the long run. In fact, several organisations have sought greater regulatory clarity on whether they can begin charging customers for SARs if the requests are deemed excessive.

And, there is a third concern that requires careful consideration: Authenticating the identity of the individual making the request. Disclosing personal information without authenticating the identity of the individual claiming to be the data subject can have disastrous consequences. Indeed, processing a fraudulent SAR and disclosing personal information to an identity thief undermines the very idea of data protection that GDPR seeks to uphold. Organisations need to ensure that the individual making the SAR isn’t posing as the data subject to steal personal information.

Authenticating user identities

Inevitably, there will be cases where individuals making the SARs cannot be authenticated using the information possessed by the data controller – the few, but not uncommon, instances where the individual has lost their login credentials, or they no longer have access to the email that they used to set up their account. In such situations, organizations may consider a risk-based approach to determine if the individual making the SAR is indeed the data subject concerned.

In retrospect, it would seem that as organisations hastily implemented controls and revamped their data protection programs to become GDPR complaint, the importance of verifying SARs was buried under a mountain of other exigent concerns. Now that organisations have had a year to adjust to this new GDPR-centric environment, the importance of authenticating the identity of the individual making the SAR can no longer be overlooked.

This article first appeared on TechRadar.