Yesterday marked the six month anniversary of the momentous GDPR deadline – a period of time that has seen an exponential increase in the number of consumers wary of how, if at all, their personal data is being protected. Since the deadline, the French CNIL company has seen a 64 per cent increase in the number of privacy complaints. Similarly, more than 1,100 reports of data breaches involving people’s personal information were received by the Data Protection Commission in just the first two months – a number that has gone up exponentially since then.
As consumers become increasingly aware of their rights under GDPR, the number of Subject Access Request (SAR) have also increased. An SAR is a written request made by an individual for the information an organisation holds on him or her. The typical SAR demands a copy of all personal information, how it has been used, who it has been shared with, how long it has been stored and details of any data breaches. The consumer can also subsequently ask for the data held to be deleted.
As SARs can be requested by anyone, the last six months has also seen an increase in malicious actors using the guise of GDPR to steal personal data, leaving businesses struggling to ensure the requests are authentic. Experts at Trulioo believe that organisations may have neglected adequately planning for the influx of SARs while setting out plans to adhere to the larger GDPR framework. As the volume of SARs have increased, managing these requests continues to be an under-examined blind spot of being GDPR compliant.
Zac Cohen, General Manager at Trulioo comments: “Once an SAR is made, organisations have one month to comply. However, before going to the extensive process of releasing or deleting a subject’s data, it is imperative for businesses to first determine that the request is indeed coming from the actual data subject.”
“While the number of requests for erasure has climbed since the introduction of GDPR, processing a fraudulent request and releasing or deleting data from the record has resulted in a completely different set of problems. To ensure the person making the SAR is who they say they are, companies can leverage identity verification services to authenticate individuals making the request.
In a haste to process SARs, many businesses have lost sight of the primary objective of the GDPR – the confidentiality of data. Wrongly disclosing confidential data is a data breach and the individual whose data was exposed could file for negligence.
Zac concludes: “Considering businesses have only had a month to respond to a data subject’s deletion request, the faster and more automated the process, the easier it could be to comply with GDPR regulations smoothly and avoid the associated penalties and fines, which can run up to four per cent of company revenues.”