Ever since the General Data Protection Regulation (“GDPR”) came into force on 25 May 2018, responding to Subject Access Requests (“SARs”) has become an almost day to day job for plenty of businesses.
This boom in the number of SARs can largely be put down to two main factors:
- The first is the increased awareness amongst the general public of their own data protection rights, resulting from the publicity surrounding GDPR coming into force and a number of high profile data protection-related news stories, such as the Cambridge Analytica affair.
- The second key reason is that there is no longer any fee payable (unless the request is “manifestly unfounded or excessive”, in which case a reasonable fee may be charged). Under previous legislation, a £10 fee could be charged by businesses to the individual making the request. It seems that the removal of this small barrier has opened the floodgates.
As well as opening the door for many legitimate (and some spurious) SARs, the removal of the £10 fee has also made the SAR into another potential tool for hackers to use when seeking to obtain personal data which can then be used for identity theft purposes.
A recent study carried out by James Pavur, a PhD student at Oxford University, demonstrated the vulnerabilities created by the sheer number of SARs most businesses face nowadays. The volume of requests, and the relatively short period in which to respond (only one month), creates significant pressure on the employees tasked with dealing with SARs. This, coupled with the potentially huge fines which can be levied under GDPR, creates an environment in which the prevailing attitude can end up being one of “get the response over and done with without asking too many questions”.
Mr Pavur’s theory is that this regulatory framework may lead to SARs being responded to without the business having confirmed the identity of the individual actually making the request. In order to test this theory, Mr Pavur sent out 150 SARs in the name of his fiancée. The aim of the experiment was to obtain as much personal information about his fiancée as he could, without the various businesses finding out that it was not actually his fiancée making the request (for those wondering, she was complicit in this experiment!).
The results are either interesting, or quite concerning, depending on your viewpoint. 24% of the companies responded on the basis of nothing more than an email address and phone number, and sent over all data they had on Mr Pavur’s fiancée. A further 16% requested some ID, which Mr Pavur described as ID that could be “easily forged”.
Other companies asked for log in details to prove identity. However, one of these companies sent over all the personal data it held after Mr Pavur simply told them he had forgotten the log in details.
The information received by Mr Pavur ticks all of the boxes for the type of personal data a hacker could use to carry out all kinds of identity theft online: social security number, date of birth, mother's maiden name, 10 digits of a credit card number, credit card expiration date, card type and postcode.
The advice for businesses off the back of this study is clear: you must be certain of the identity of the individual making the SAR or, where it is made on behalf of another person, that the individual making the request has the proper authority.
GDPR does provide companies with the power to request information necessary to confirm identity, where there are “reasonable doubts” about the identity of the person making the request. However in the time pressured environment of having to respond to SARs within a month, it is easy to see how asking for appropriate ID gets overlooked.
Don’t be afraid to use the powers granted by GDPR if you have any doubts at all about the identity of the individual making the request. Sending out personal data to a hacker in response to a fraudulent SAR is likely to be a data breach in its own right, thereby turning what is an attempt to comply with GDPR into a whole new set of data protection issues for an organisation.
If you have any questions regarding the above, please feel free to email Jack Horwitz at firstname.lastname@example.org. or visit the website for more information.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.