The European Union’s General Data Protection Regulation (GDPR) grants data subjects the right of access, meaning that an EU citizen may request a copy of all of their personal data collected by an organization. Businesses have one calendar month to comply to such requests—and by extension, ensure the person issuing a request is who they say they are.

It’s not an exactly a foolproof process. Last week, for instance, BBC News reported that an University of Oxford researcher was able to obtain his fiancee’s Social Security number, credit card information and account logins by calling around to different businesses.

But while organizations may have to step up their verification efforts, absent further regulatory guidance, that may be easier said than done.

“This is a new process for many organizations that they are working through for the first time, and I think because of that we’re going to see errors and slip-ups in confirming the identify of the people before processing a request,” said Michael Waters, a shareholder at Polsinelli.

Still, identification may not be where most companies can afford to focus their energies right now. From what Waters has seen, many organizations are preoccupied with locating the information specified in a given request before the GDPR’s one-month time clock runs out.

Sarah Pearce, a partner in the privacy and cybersecurity practice at Paul Hastings, thinks there may be room for companies to increase the sophistication with which they process data subject requests. Those efforts begin with having the right procedures in place.

“The key thing is to have that procedure, that policy and then to make sure that all staff are aware so that everyone knows how to respond such that you’re not just handing over personal data to anyone. It’s got to be for the right reasons and in the right circumstances,” Pearce said.

Still, the authentication process itself can be a fine line to walk. Per guidelines laid out by the Article 29 Data Protection Working Party—an EU advisory body comprised of representatives from each member state—a company is required to verify the identity behind a request, but those efforts cannot place “excessive demands” on the data subject or lead to further collection of personal information irrelevant to the task at hand.

“This can create a tension for organizations who do not want to violate either requirement,” Waters said.

One way to thread the needle is to ask the data subject to answer a question only they would be able to answer without venturing into yet more personal information. For example, a financial institution might ask the originator of a data request to provide the balance of an account, but not the account number itself.

Waters thinks there will be further clarification on authentication from regulators over time. It’s also possible that some people may have to learn the hard way through GDPR-related fines or sanctions.

“We see that a lot with other statutes.  It’s really the court systems that provide clarification and context for organizations,” Waters said.

While Pearce agrees that incidents resulting from a falsified data subject request could trigger further guidance from regulators, she thinks the burden of properly executing the regulation will ultimately fall on companies.

“There’s only so much you can place on a regulator in guidance because they have a job to do and they are fulfilling it. So it does then come down to companies taking notice of that regulation and actually implementing procedures to deal with the fact that it’s there,” Pearce said.