Poor implementation of data protection procedures and basic social engineering can create a perfect playing field for identity thieves.

The General Data Protection Regulation (GDPR) grants individuals (data subjects) a right to access their personal data which an organisation (data controller) processes or holds on them. In a recent experiment, an Oxford researcher, Mr Pavur, made data subject access requests (DSARs) to 150 organisations.

The catch is that he was holding himself out to be his partner and was seeking her personal data from the companies (with her permission, of course). What he found is that the laws which are intended to protect others from retrieving our personal data actually facilitated identity theft.

Mr Pavur carried out a number of deceptive but simple techniques or “social engineering” to gain access to his partner’s personal data.

Mr Pavur’s findings

One in four companies delivered personal data on Mr Pavur’s partner. Out of those responses:

  • 24 per cent accepted merely an email address and phone number as ID information;
  • 16 per cent requested easily forged ID information; and
  • 3 per cent just deleted his partner’s accounts.

In general, large companies performed well and carried out appropriate checks. Tech companies performed particularly well. Small businesses typically ignored the requests and medium sized businesses who knew about GDPR but which did not have the expertise or resources to deal with requests, failed the experiment.

5% of US organisations also stated that they were not liable to comply with GDPR. However, GDPR applies to all organisations which hold and process the personal data of individuals residing in the EU regardless of where the organisation is located. It will also apply if the organisation offers goods or services or monitors the behaviour of data subjects in the EU.

Significant personal data breaches

Below are some examples of the data breaches and the personal data provided to Mr Pavur:

  • An advertising company posted the DSAR request letter on the internet. This constituted a data breach in and of itself;
  • Another organisation gave Mr Pavur 10 digits of his partner’s credit card, the expiration date, the issuer and her past and present addresses; and
  • A US company provided the results of a historic criminal background check.

Time limit

GDPR legislates for organisations to respond to DSARs within one month of receving the request or, if later, within one month of receiving any requested information to clarify the request or confirm the requester’s identity. The time limit can be extended by a further two months if necessary due to the complexity and number of requests, provided the individual is informed within one month of receiving their request.

According to Mr Pavur, the one month time limit led to almost panicked responses by some companies and compromised ID checks for fear of not complying with the request on time. A failure to deal with a DSAR risks a complaint to the Information Commissioner’s Officer (ICO), or an application to court for a compliance order.

Awareness of social engineering tactics

The experiment also highlighted that those charged with handling the DSARs were not fully trained or made aware of phishing and social engineering techniques. This made it easy for simple forms of identity theft to be carried out on companies which were mostly concerned with dealing with the request before the clock ran out on the one month time limit.

Striking a balance between protecting personal data and responding to DSARs

The main difficulty highlighted by this experiment is striking the balance between responding promptly to DSARs and making sure that the person is who they say they are.

You can request further ID documents from an individual if you are dubious about their identity. However, the ICO states that you can only ask for information to confirm who they are and that the key to this is ‘proportionality’. Unfortunately, the GDPR does not define what forms of identification are acceptable but imposes a general obligation on employers to “use all reasonable measures to verify the identity” of an individual making the DSAR.

What should organisations take from this experiment?

  1. Ensure that proper ID checks are carried out on the person making the request and only accept legitimate forms of ID documents.
  2. Have procedures in place for when you do receive DSARs. Assign a person or a team to whom the DSARs should be referred.
  3. Do not be afraid to ask for further ID documents if you have concerns. The period for responding to the DSAR starts once you have received any requested ID documents but you must let the individual know as soon as possible if you require additional information.
  4. Provide appropriate training to staff in respect of detecting DSARs. It is not always the case that an email or letter will contain the heading ‘Data Subject Access Request’. A request may be more discrete.
  5. Seek advice when necessary. GDPR is complex and the penalties can be severe, not to mention the reputational damage suffered as a result of not complying with the legislation.

If your business is facing any issues with regards to GDPR or data subject access requests, please get in touch with your usual Brodies contact to identify any risks and highlight strategies for the future. Workbox users can also access a step-by-step guide at the pages on subject access requests.

The ICO has recently updated its guidance on data subject access requests: the guidance is available here or you can read our blog.