GDPR Glitch: Stumbling Over Security With Right of Access Requests
Is the GDPR's tight right of access request timeline a point of vulnerability for personal data, or do companies just need to refine their verification procedures?
August 16, 2019 at 10:30 AM
4 minute read
The European Union’s General Data Protection Regulation (GDPR) grants data subjects the right of access, meaning that an EU citizen may request a copy of all of their personal data collected by an organization. Businesses have one calendar month to comply to such requests—and by extension, ensure the person issuing a request is who they say they are.
It’s not an exactly a foolproof process. Last week, for instance, BBC News reported that an University of Oxford researcher was able to obtain his fiancee’s Social Security number, credit card information and account logins by calling around to different businesses.
But while organizations may have to step up their verification efforts, absent further regulatory guidance, that may be easier said than done.
“This is a new process for many organizations that they are working through for the first time, and I think because of that we’re going to see errors and slip-ups in confirming the identify of the people before processing a request,” said Michael Waters, a shareholder at Polsinelli.
Still, identification may not be where most companies can afford to focus their energies right now. From what Waters has seen, many organizations are preoccupied with locating the information specified in a given request before the GDPR’s one-month time clock runs out.
Sarah Pearce, a partner in the privacy and cybersecurity practice at Paul Hastings, thinks there may be room for companies to increase the sophistication with which they process data subject requests. Those efforts begin with having the right procedures in place.
“The key thing is to have that procedure, that policy and then to make sure that all staff are aware so that everyone knows how to respond such that you’re not just handing over personal data to anyone. It’s got to be for the right reasons and in the right circumstances,” Pearce said.
Still, the authentication process itself can be a fine line to walk. Per guidelines laid out by the Article 29 Data Protection Working Party—an EU advisory body comprised of representatives from each member state—a company is required to verify the identity behind a request, but those efforts cannot place “excessive demands” on the data subject or lead to further collection of personal information irrelevant to the task at hand.
“This can create a tension for organizations who do not want to violate either requirement,” Waters said.
One way to thread the needle is to ask the data subject to answer a question only they would be able to answer without venturing into yet more personal information. For example, a financial institution might ask the originator of a data request to provide the balance of an account, but not the account number itself.
Waters thinks there will be further clarification on authentication from regulators over time. It’s also possible that some people may have to learn the hard way through GDPR-related fines or sanctions.
“We see that a lot with other statutes. It’s really the court systems that provide clarification and context for organizations,” Waters said.
While Pearce agrees that incidents resulting from a falsified data subject request could trigger further guidance from regulators, she thinks the burden of properly executing the regulation will ultimately fall on companies.
“There’s only so much you can place on a regulator in guidance because they have a job to do and they are fulfilling it. So it does then come down to companies taking notice of that regulation and actually implementing procedures to deal with the fact that it’s there,” Pearce said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Appellate Division Greenlights State Bar's Leadership Diversity Initiatives
- 2SEC’s Latest Enforcement Actions Fuel Demand for Big Law
- 3Sterlington Brings On Former Office Leader From Ashurst
- 4DOJ Takes on Largest NFT Scheme That Points to Larger Trend
- 5Arnold & Porter Matches Market Year-End Bonus, Requires Billable Threshold for Special Bonuses
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250