The General Data Protection Regulation (GDPR) comes into force soon, and one of the key areas are “Subject access requests”, giving users the right to request access to their data held by your business, free of charge.
Unfortunately, without the obstacle of a £10 fee that you were entitled to charge under the Data Protection Act, this give scammers the freedom to cast their net wider, attempting to phish data about people other than themselves. Here are 5 steps you can take to ensure safety:
1. Don’t panic under pressure
It’s easy to succumb under pressure when data is requested from someone who speaks or writes authoritatively. They may threaten you with a whole host of provisions from GDPR, demanding any data you hold on them is supplied immediately.
You have 1 month to comply with subject access requests, so don’t let the pressure get to you. Take your time in ensuring you action all 5 steps of this article.
2. Verify the person’s identity
In the first instance, ask for a copy of their passport or driving licence (remember that these can be forged easily when sent digitally). Ensure that you e-mail the user and then receive a reply from the same e-mail address before taking any further action. This is to rule out the possibility that an anonymous email service was used.
If in doubt use an ID verification service.
3. Check for spelling mistakes and word deception
Make sure that you check the e-mail address is correct, by cross-referencing with information you have stored on the user, and/or looking it up on their company’s website. Look for malicious spelling or variation of words that may be used for deception, such as an “l” instead of an “I” (“i” in uppercase can look the same).
Scammers also have a habit of misspelling works quite commonly and often do so to try and fool spam filters, so remain vigilant here.
4. Consider a deadline extension or rejecting the request
If you are unable to verify the user, you may be able to extend the request while you seek further validation, or reject the request. You must be able to demonstrate that you have done everything you can to verify the user’s identity but have been unable to do so.
5. Allocate a data protection officer
Don’t hand over the reigns for subject access requests to anyone in the company, and appoint a data protection officer who is always up to date on security, phishing tactics and GDPR procedures.
In conclusion, GDPR is not simply a case of box ticking for compliance but will form the cornerstone of any business. The regulations are to be treated very seriously and you will need to make a notable investment to ensure compliance in all areas of GDPR.
Organisations will be required to implement appropriate technical and organisational measures (including introducing data protection by design and by default principles where relevant) to ensure and be able to demonstrate that data processing is performed in a compliant manner.
Ruby Datum works with a number of GDPR consultants, lawyers and professionals in the industry, and can provide assistance where necessary. Our platform is secure, organised and reliable, ensuring many areas of GDPR can be satisfied from both structured and unstructured documents.