Test reveals some companies are still not prepared for data subject access requests – are you?

2nd September 2019

A recently published test undertaken by a University of Oxford-based researcher[1] shows that, over a year since the EU General Data Protection Regulation (GDPR) came into force, some companies have yet to get to grips with responding to requests by data subjects exercising their right of access under the new legislation.

Data subject access requests (DSARs) themselves are not new, but with the substantial media attention on GDPR and the new prohibition (in most circumstances) on charging fees for responding, combined with data subjects’ concerns over data privacy and greater awareness of their rights, the right of access is now being exercised more frequently. Walker Morris data protection and privacy experts Jeanette Burgess and Andrew Northage explain.

The right of access

Individuals have the right to obtain a copy of the personal data that an organisation holds on them (subject to some specific exemptions). A DSAR can be made to either a data controller or a data processor, but the controller bears the responsibility for complying. The timescale for responding to a DSAR is strict, and potential fines for non-compliance can be significant. It is therefore crucial that organisations understand what a DSAR is and have the necessary systems in place in order to be able to respond appropriately and on time.

Particular care needs to be taken when dealing with a DSAR, because providing an unauthorised third party with personal data relating to an individual could in itself constitute an unlawful sharing of data and a breach of GDPR. If there are doubts about the identity of the person making the request, it is possible to ask for more information, but only to the extent that it is necessary to confirm who they are.

The test

In order to test how companies would respond to a DSAR made in someone else’s name, a security expert researcher based at the University of Oxford contacted dozens of UK and US firms asking each of them to provide all the data they held on a third party. He did so by creating a fake email address in the third party’s name, and sending a template DSAR letter quoting GDPR. (The third party was the researcher’s fiancée, and he had her permission to make the requests.) He presented the results at a recent information security conference.

Worryingly, of the 83 firms known to have held data about the third party, 24% supplied personal information without any attempt to verify the researcher’s identity. 16% requested basic documentation to verify his identity which could easily have been forged. In total, he was able to obtain 60 distinct pieces of personal information including passwords, credit card details, past and present addresses and a full US social security number.

3% of the 83 firms misunderstood the DSAR and responded to say they had deleted all personal data held, while 5% said they had no data to share, despite the third party having an account controlled by them. 13% failed to respond altogether.

WM Comment

The results of this experiment show that, despite GDPR having been in force for over a year, some organisations are ill-equipped for recognising and responding appropriately to a DSAR and they may struggle to comply with the law. Care must be taken to ensure that reasonable and proportionate measures are effected to verify any DSAR without infringing on a data subject’s right of access.

It is more important than ever to ensure that the necessary internal policies and procedures are in place to deal with DSARs effectively and efficiently and that the relevant staff are given appropriate training. Contractual arrangements must be put in place to ensure that DSARs are dealt with properly, whether they are received by the data controller or a processor. Policies, procedures and any other relevant documentation or notifications, including privacy notices, should be regularly reviewed and revised to reflect the latest guidance from the Information Commissioner’s Office (such as the very recent change to the timescales for responding to a DSAR – see our recent newsflash for details).

Should you require any assistance with drafting and implementing the necessary arrangements, or with any other aspect of GDPR compliance, please do not hesitate to contact Jeanette or Andrew, who will be very happy to help.

________________

[1] “Black Hat: GDPR privacy law exploited to reveal personal data”, BBC News, 8 August 2019, https://www.bbc.co.uk/news/technology-49252501