GDPR Subject Access Request: authentication cannot be an afterthought

Image Credit: Pixabay (Image credit: Image Credit: TheDigitalArtist / Pixabay)

As the deadline approached last year, companies scrambled to update their data protection practices. As it happened, some companies did get fined for non-compliance. Following a long period of adjustment, however, GDPR requirements have become normalised into existing compliance programs.

What many companies were ill-prepared for was the onslaught of consumers exercising their rights under the new regime. Under GDPR, a consumer can file a Subject Access Request (SAR) with an organisation to determine if that organisation is processing personal data concerning him or her, and, if the information has been shared, along with the names of the parties with which it has been shared. 

In fact, these are only but a few of the searching questions that the user, as the data subject, can demand answers to. Further, once the SAR has been dispatched to the organisation, it is legally obligated to comply with the request, retrieve the information, and formally respond to the data subject – all within a month.  

Subject Access Request

SARs have become a vexing issue for data controllers as they try to cope with the glut of requests by customers. A number of factors are responsible for this: 

Firstly, there’s no easy way of determining what constitutes a SAR; the regulation empowers the data subject to make a request in the way he or she deems fit – this can be either a handwritten request, a verbal communication or a digital one, ranging from emails to tweets. Given this lack of structure and standardisation, it’s difficult to identify and segment SARs in a scalable way. Organisations are, thus, at risk of being unable to respond to them on time, or failing to take action altogether.         

Secondly, retrieving the requested data to accurately answer questions raised in the SARs, are already proving to be burdensome. In fact, there seems to be growing concern amongst compliance professionals that expending a disproportionate amount of resources toward responding to SARs is untenable in the long run. In fact, several organisations have sought greater regulatory clarity on whether they can begin charging customers for SARs if the requests are deemed excessive.    

And, there is a third concern that requires careful consideration: Authenticating the identity of the individual making the request. Disclosing personal information without authenticating the identity of the individual claiming to be the data subject can have disastrous consequences. Indeed, processing a fraudulent SAR and disclosing personal information to an identity thief undermines the very idea of data protection that GDPR seeks to uphold. Organisations need to ensure that the individual making the SAR isn’t posing as the data subject to steal personal information.

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Pexels)

Authenticating user identities

Inevitably, there will be cases where individuals making the SARs cannot be authenticated using the information possessed by the data controller – the few, but not uncommon, instances where the individual has lost their login credentials, or they no longer have access to the email that they used to set up their account. In such situations, organizations may consider a risk-based approach to determine if the individual making the SAR is indeed the data subject concerned.   

 In retrospect, it would seem that as organisations hastily implemented controls and revamped their data protection programs to become GDPR complaint, the importance of verifying SARs was buried under a mountain of other exigent concerns. Now that organisations have had a year to adjust to this new GDPR-centric environment, the importance of authenticating the identity of the individual making the SAR can no longer be overlooked.

Zac Cohen, General Manager at Trulioo

Zac Cohen
Based in Vancouver, Canada, Zac Cohen is the General Manager of Trulioo, a leading RegTech provider which helps some of the largest tech companies, banks and financial services, prevent fraud, mitigate risk and fulfill compliance requirements. Zac’s unique insights and perspectives are rooted in his intimate knowledge of compliance, risk management and finance, coupled with his track record of scaling tech companies, where he has led strategy, operations and corporate development. At Trulioo, he leads strategic planning and execution, building and empowering high-performance teams. Passionate about creating real and lasting impact on a global scale, Zac is at the forefront of Trulioo’s mission to verify the identity of the entire human population so that everyone, regardless of their circumstances, has access to essential services.