Whose Data Is It? A Real GDPR Problem With Subject Access Requests

by Michael Addison in Data Protection | posted:

subject access request

Data breaches seem to come ever more frequently as of late. The Information Commissioners Office (ICO) intention to fine big businesses like Marriot Hotels and British Airways springs to mind. 

While the risk of breaches appears to be as common as any other risk in our lives, that isn’t necessarily the truth. No one wants to have their data stolen from them and businesses can do many things to make themselves more secure.

A researcher from Oxford University has uncovered a troubling security risk in the EU regulations. Specifically. The right of access requests.

GDPR: Subject Access Requests

subject access request image

Right of access requests, commonly known as “subject access requests” is where individuals have the right to obtain a copy of their personal information. When it comes to businesses, individuals have the right to know whether you’re processing their data and to obtain a copy of this data.

This sounds all good and well if the person asking for this data is who they say they are. Results coming from a case study done by an Oxford researcher discovered some troubling findings. While attempting to extract as much information as possible about his fiancee (with her consent), he found that companies were more than willing to provide sensitive information.

Understandably, the fear of being fined for breaching GDPR could lead to companies rolling over and giving data to whoever asks. However, this in itself could lead to an even more significant data breach and puts customers, employees and anyone’s data you hold at risk.

GDPR: Common Sense In Protecting Your Business

Subject access right small business

Business can train themselves and staff to be on the lookout for suspicious GDPR requests. After all, data stolen under nefarious purposes leads you and your customers open to unpleasantness. GDPR asks that the data controller use all reasonable measures to verify the identity of the individual who requests information. 

Current legislation doesn’t clarify an appropriate form of identity. The researcher suggested that government-mediated verification services in future could be a possible alternative. In the meantime, you could allow account login or other secure identification procedures before delivering over the data.

Generally, the likelihood of an attacker looking for information could be rare. Your past customers, employees and such are much more likely to to be asking you for this information.

Keep in mind that whenever you refuse a request, you must always let people know about their right to complain to the ICO.

Shred Unneeded Data

site shredding

link to our shredding service page

Do you have unnecessary documents lying around, gathering dust?

Do you have a process in place for when you remove ex-employee or customer information? Failing to employ a paper security policy leads to data breaches, which can be catastrophic to any business.

A confidential shredding service can sensibly secure your businesses best interests and prevent personal information from falling into the wrong hands. At Direct365, we take your security seriously, employing vetted DBS-checked personnel; operating discreetly so your staff can get on with their day with minimal interruption.

You can choose from an offsite/onsite shredding service. Either watch before your very eyes as all that paper, hard drives,ex-employee cards get shredded in our state-of-the-art machines. Alternatively, use our offsite service, where GPS-tracked trucks deliver the documents to a secure facility for destruction.

Get an instant quote today.

quick quote

 

  Back

     

...