Data Privacy Issues in Respsonding to GDPR Subject Access Request

Published on: 20th December 2018

We've been concerned for a long time that the most significant challenge to responding to Subject Access Requests is the ability for people to verify the identity of the Subject, and ensure that only their data is returned in response to the request.

The story on the BBC reports that an Alexa user was sent the wrong person's data in response to a SAR, which Amazon attributes to human error.

This is a perfect example of the potential weaknesses in the retrieval and supply of personal data when someone invokes a SAR, which will inevitably involve some human handling of the data and personal judgements about the data's relation to the data subject. Somebody somewhere has to decide if it is YOU making the request, and what is scope of YOUR DATA.

The assessment of identity and the checks needed to ensure security, along with the data retrieval, assessment and presentation for the Subject is one of the biggest practical challenges in a GDPR / DPA2018 world.

PYXI GDPR Team: 20th Dec 2018 07:50:00