Article 5 min

GDPR subject access requests (SARs): an authentication blind spot


September 4, 2019  


More than a year has passed since the significant General Data Protection Regulation (GDPR) deadline. Consumers have become increasingly wary of their data privacy, wanting to know where their data is stored and who has access to it. Consequently, the number of subject access requests (SARs), or consumers asking organizations for their personal information, is on the rise — up 36 percent in some sectors.

Under the GDPR, if a person — that is, a data subject — wants to know what personal data an organization has on file about them, and who that data has been shared with, they can request the information by way of a SAR. Organizations have one month to comply with the request or risk facing hefty fines. However, it is imperative that businesses first verify the authenticity of the SAR, and the identity of the person submitting it, before releasing any personal information.

Two unfortunate trends have been borne out of this first year under the GDPR: 1) a rise in attempts to steal identities, and 2) the inadequate delivery of data following SARs.

One year under the GDPR: a rise in ID theft

Since the advent of the GDPR, data breach complaints have risen exponentially, almost doubling in the UK alone. In the EU, the European Data Protection Supervisor (EDPS) has received around 95,000 complaints for GDPR violation. Unfortunately, while it is becoming easier and much more common for consumers to access their personal data, criminals are beginning to take advantage in an attempt to steal identities.

For example, last year a Spotify account was hacked by fraudsters by means of a SAR, which gave them access to a user’s entire streaming history, date of birth and card details. The penalties for such violations are up to 4 percent of global turnover, not an insignificant sum, and a major hit for some companies.

One year under the GDPR: inadequate subject access requests

For many organizations, the GDPR has created difficulties in regard to providing consumers with the required information following a SAR. Privacy group Noyb, led by activist Max Schrems, states that this is currently the biggest GDPR-related challenge faced by firms. The GDPR outlines that once a consumer submits a SAR, they are entitled to all of their data, as well as a detailed history of where it has been shared.

However, many businesses are failing to provide this data and sharing history. In the test Noyb completed, they found that large companies didn’t provide the relevant background information meant to help consumers understand how their data is used. They found that many organizations either set up automated responses, like Spotify – “Spotify takes data privacy and our obligations to users extremely seriously” — or in most cases, only provided users with undecipherable raw data.

Businesses are also struggling to ensure that they are handing the data to the right person. As the GDPR deadline approached last spring, organizations hastily implemented controls and restructured their data protection programs to become GDPR compliant and avoid hefty fines. As such, the importance of verifying SARs was buried under a mountain of other prioritized concerns. Now that organizations have had a year to adjust to this new GDPR-centric environment, there is no excuse for an inability to authenticate the identity of the individual submitting the SAR.

In another study, GDPArrrrr: Using Privacy Laws to Steal Identities, James Pavur and Casey Knerr sent SARs to more than 150 companies to check their ability to properly handle the requests. As the requests were not sent by the individual themselves, no sensitive information should have been shared by the companies.

The responses varied immensely; many companies did not even respond, which brings up the question if they even have a process in place. Some of the companies willingly provided highly sensitive information, or even deleted an account, with little or no verification of the individual making the request. On a positive note, some companies did have proper procedures, including strong identity verification, in place:

  • Required “strong” ID — 39 percent
  • Gave PII — 24 percent
  • Accepted weak ID — 16 percent
  • Ignored GDPR — 13 percent
  • No data — 5 percent
  • Deleted account – 3 percent

The study suggests that approximately 60 percent of companies that have obligations under the GDPR don’t have an effective SAR response. While the fines for failures were not substantial in the first year of the regulation, significant fines to British Airways and Marriott International do indicate that “GDPR enforceability has caught momentum.” The suggestion that six out of 10 companies are not following the law only adds to the incentive for the EU to increase enforcement and penalties.

If an individual’s personal data is given to a malicious actor, it will not only affect the business through fines and reputational damage, but the individual becomes at risk for identity theft, among other things. Moreover, it undermines the whole concept of data protection that the GDPR seeks to accomplish.

The case for a risk-based approach

To reduce the amount of identity theft and complaints, and to better manage SARs, businesses are turning to a risk-based approach.

For example, if someone was trying to access data collected about their music selection, businesses could consider asking for identifying information already available in their database, such as the email used to create the account, and then verify the user using email authentication.

If an individual wanted to access private health information, stronger identifiers such as eye color may be needed, and this data can be collected during the onboarding process. If businesses request strong identifiers at the account creation stage, it will provide an extra layer of authentication if, or when, the consumer requests any of their personal information.

To say that bad actors are becoming increasingly more sophisticated is an understatement — it’s evident they’re relentless in their search for new fraud techniques. If organizations can stay one step ahead by leveraging privacy-first identity verification solutions, it puts them in a good position to tackle fraud in this post-GDPR world.