Data subject access requests are a key part of GDPR. By allowing users to request a copy of the data an organisation holds on them, they ensure transparency and give users the awareness and ability to protect their information.
However, an unexpected side-effect is that they are also posing a risk to users because organisations are not taking sufficient steps to check the legitimacy of such requests.
The issue was discovered by Oxford University PhD student James Pavur. Having sent 150 data subject access requests in his fiancé’s name, he was given her data by almost a quarter of organisations with no more confirmation of identity than her email address or phone number.
As reported by Econsultancy:
Clearly, subject access creates a significant and previously not well-publicized risk for businesses.
While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.
Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.
You can read the full article from Econsultancy here: https://econsultancy.com/identity-verification-is-now-an-important-gdpr-issue/
The data that Pavur gained access to was often of a sensitive nature. In one case, he was able to obtain his fiancé’s US social security number without providing any documentation. He also obtained bank details and breached usernames and passwords that were still in use.
All of this indicates that there is still a long way to go when it comes to GDPR compliance. In attempting to comply with the law over data subject access requests, organisations were actually failing in their obligations to protect user data.
If you’re uncertain about how to ensure GDPR compliance, Activa Consulting can help. Get in touch with us today and our expert data protection consultants will provide the guidance that you need.