Implementing a General Data Protection Regulation (“GDPR”) compliance program can be a daunting task. Part of every company’s GDPR compliance program is the ability to receive and respond to Data Subject Requests (“DSRs”). A DSR is a means by which a data subject can inquire about their personal data that a public or private institution possesses, as granted by his or her ‘right to access.’

GDPR defines ‘personal data’ as such: “…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” By law, the institution is required to provide the data subject a copy of their processed personal data upon request.

Understandably, DSRs contribute to intimidating perception of implementing and maintaining a GDPR compliance program. These requests can be overwhelming and can come with a host of issues; but the most concerning of these issues is fraud. VICE News reporter, Lorenzo Franceschi-Bicchierai, illustrated just how easy it is for a malicious actor to exploit this ‘right to access’ in order to obtain a victim’s personal data.

The Experiment

In Lorenzo’s article, Researchers Show How Europe’s Data Protection Laws Can Dox People, he describes a simple experiment performed by Ph.D. student and cybersecurity researcher James Pavur and his fiancé Casey Knerr. The experiment was a bet that surrounded the right to access request under GDPR[1]. “I made a bet that I could steal her identity using these GDPR requests,” Pavur said. “I think James definitely won the bet,” Knerr said. Using GDPR, Pavur was able to get a treasure trove Knerr’s personal information, including her Social Security Number.

The prep was simple, Pavur started with just Knerr – her full name, a couple of email addresses, phone numbers, and any other information that Pavur could find online. In other words, the feeblest possible form of attack. Then, purporting to be Knerr, he sent requests to 75 companies, and then to another 75 using the data collected from the first wave of requests with an email address designed to look like that of Knerr.

According to Pavur and Knerr, 25 percent of companies he contacted never responded. Two thirds of companies, including online dating services, answered with enough information to uncover that Pavur’s fiancé had an account with them. Of those who responded, 25 percent offered sensitive data without correctly verifying the identity of the sender. Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would’ve been relatively hard to fake, according to the study.

How to protect your organization?

Organizations required to comply with GDPR need to create a pathway for data subjects to submit such a request – perhaps via a designated email address to receive requests – but once an organization has implemented that mechanism is when the organizational risk becomes present. Authenticating DSRs is paramount.

Article 12 of GDPR Section 2 states, “…the controller shall not refuse to act on the request of the data subject for exercising his or her rights…unless the controller demonstrates that it is not in a position to identify the data subject.”[2] Recital 64 is much stronger on this point than Article 12: “The controller should use all reasonable measures to verify the identity of the data subject who requests access, in particular in the context of online services and online identifiers.”[3]

Piotr Fiotzik, of the International Association of Privacy Professionals, offers some insights that organizations should consider in his article How to verify identity of data subjects for DSARs under the GDPR. At the onset, consider the situation and reasonable expectations of consumer. If a method of “verifying identify was good enough when you obtained the data in the first place (e.g., you received them by email), it should be good enough when you receive a request (e.g., email request sent from the same email address).”[4] During the authentication process, you should rely on the data you have as an organization rather than the data you obtain and develop questions that test the subject’s knowledge. In the online environment, the GDPR clearly says that identification should include the digital identification of a data subject, for example, through an authentication mechanism, such as the same credentials used by the data subject to log in to the online service offered by the organization.

The National Institute of Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-63-3, Digital Guidelines, provides additional instruction for identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with you system[5]. NIST SP 800-63-3 also defines technical requirements regarding identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions. NIST SP 800-63-3 discusses the idea or concept of identify proofing which is essentially answering the question, ‘is the person who they purport to be?‘

Although the authentication process may be a daunting one, it is necessary. If you stick to the considerations above, i.e. stick to the data you know, consider the consumer, etc., your organization will be in a good place to properly authenticate DSRs. Also, consider adding in controls from NIST SP 800-63-3, specifically the section on identity proofing because this may add additional security controls to a seemingly insecure process. At the heart of GDPR, and other regulations like it, is the organization’s responsibility to keep consumer data safe – keeping that concept ever present will go a long way.

[1] Franceschi-Bicchierai, L. (2019). Researchers Show How Europe’s Data Protection Laws Can Dox People — VICE. [online] VICE. Available at: https://apple.news/Al5y2F_j6QemxKtK-sSk9SQ [Accessed 12 Aug. 2019].

[2] https://gdpr-info.eu/art-12-gdpr/

[3] https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#R64

[4] https://iapp.org/news/a/how-to-verify-identity-of-data-subjects-for-dsars-under-the-gdpr/

[5] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf

Photo by Markus Spiske on Unsplash