Subject access requests (SARs) compel you as a business to reveal and share all of your pertinent data on an individual, this is a great thing for personal data protection. It’s also a ripe target for fraudsters.
There is little in place to prevent bad actors from posing as another person and submitting a seemingly responsible SAR. It’s up to your business to make sure you’re giving the information to the right person.
Why subject access requests matter
As a business which interacts with customers, your company has extensive data on individuals. Data that is appealing to identity thieves and fraudsters as well as a host of other criminals.
The data you have on customers is legitimate and was legally obtained, customers voluntarily hand over their information in order to work with your business. However, GDPR has put individuals in control of their data so if they want to remove it then that’s their prerogative.
When a subject access request is made of a business, you should check with your legal and compliance departments to make sure there’s a protocol in place for how to process SARs. There are many limitations and deadlines involved and the Information Commissioner’s Office (ICO) issued guidance for how SARs should be handled in October 2020.
This must be taken seriously by all regulated businesses; SARs fall under data protection which has an incredibly high penalty limit. Fines for failing to comply can reach £17.5 million per breach or 4% of total annual worldwide turnover in the previous financial year, whichever is higher. It’s a colossal fine. Not to mention the reputational damage for any company hit with a fine like this.
Businesses must focus on their SAR process and streamline it so that they’re able to quickly retrieve the relevant data and relay it to requestors. Speed is vital in this process as the requirements for SARs are demanding.
Why identity verification matters
If you fail to verify the identity of those who are making subject access requests, then you’re likely to fall into a trap set by fraudsters. Bad actors who are trying to mine the wealth of data you keep on your customers for the slivers of information they need to commit fraud, steal identities, and rack up huge charges in the name of your customers.
The fall out for your customers has the potential to be extensive and the enforcement action that could be brought against you by the Information Commissioner’s Office (ICO) as a result has the potential to see your business fined £17.5 million or 4% of your total annual worldwide turnover – whichever is higher.
With such immense fines at stake, it’s a good thing that there is an easy alternative. HooYu provides an identity and verification (IDV) journey that can verify the requestor of any SAR and protect your company.
The IDV journey is quick and painless. The SAR filer is directed to submit a selfie, a proof of identity document such as a passport and using that information they agree to undergo a database check. The whole journey takes minutes and verifies the individual almost immediately. Allowing your business to respond to the SAR with confidence and at speed
Subject access requests’ scope and deadlines
Speed is an important element of the SAR journey. For one thing, you only have a month to get the information to the individual. Considering how many datapoints can be collected for one person this could involve a lot of administrative work for the employee responsible.
Whoever has made the subject access request, so long as they’re the individual requesting their own data, must be granted not only the datapoints themselves but nine key points of information. These are not easy demands to handle. Your business has a 30-day time limit to communicate this information and if you’re diving into poorly maintained data lakes to retrieve the information then it’s far more difficult. Your business must explain:
- the purposes for processing their data
- the categories of personal data
- who else receives the personal data including those in other countries and international organisations
- how long you store the data for or, if that cannot be shared, your criteria for how long your business stores data
- their right to request rectification, erasure, or restriction of their data – they may also object to their data being processed
- that the individual has the right to file a complaint with the ICO
- the source of the data you have on the individual
- the role of automated decision-making as well as the logic used to automate those decisions on that person’s data, this must include considered consequences of the processing of data for that individual
- the safeguards your business has in place concerning their personal data if it has been or will be moved to another country or international organisation
Verify the request
The simplest way to provide all this information is to extract it from the tool you used to obtain it. Rather than using a data lake that has accessibility issues you should be able to extract customer data from a profile that has the majority of the data you need to hand.
HooYu Identify provides detailed customer profiles as standard and can be used to verify the person requesting the information. Checking the identity of the person who submitted the SAR is integral to complying with GDPR as you must not allow that personal data to be transmitted to unauthorised parties.
There are many fraudsters working hard to trick and manipulate companies into giving up customer data through social engineering and other insidious methods. Putting an identity check in place as standard immediately prevents your employees from leaking data accidentally.
The journey we provide is a truly digital identity check. Using your regular HooYu account you can build a proof of identity journey that takes minutes and as the entire journey is conducted through a web portal, can be setup in a few hours after the contract is signed. Making your compliance with GDPR requirements that much faster.
SARs made simple
This makes responding to a subject access request a far simpler issue. You can verify the requestor and access a great deal of the data your business has on them in one fell swoop. It also means that meeting the deadlines for SARs is an easier task as well. Businesses only have one month to comply with a SAR but can extend it by a further two months if necessary.
For example, if they’ve asked for data erasure and for a full accounting of how you’ve used their data. But the extension can only max out at three months from the date that the request was made, and the requester must be made aware of the delay within the first month.
SARs are a demanding process. But they focus on the data that you already have on the individuals concerned. Using a strong workflow that organises the data you obtain from customers efficiently there should be no problems in complying with any subject access request.
Download a copy of HooYu’s verifying identity for Subject Access Requests here.