Security Analysis of Subject Access Request Procedures How to Authenticate Data Subjects Safely When They Request for Their Data

• Published in: Privacy Technologies and Policy pp. 182 - 209
• Main Authors: Boniface, Coline, Fouad, Imane, Bielova, Nataliia, Lauradoux, Cédric, Santos, Cristiana
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing 2019
• Series: Lecture Notes in Computer Science
• Subjects: Data protection; GDPR; Identity verification; Privacy; Right of access; Subject access request (SAR)
• ISBN: 9783030217518; 3030217515
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-21752-5_12

With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject’s national identity card transmitted over an insecure channel. We define how a data controller should react to a subject’s request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.