×

Operationalizing DSAR Compliance with Automated Identity Verification

September 10, 2019

Operationalizing DSAR Compliance with Automated Identity Verification

The DSAR Tidal Wave

Thanks to GDPR and other global privacy regulations, consumers now have a right to know what and how much of their data a company is collecting and storing, but few regulators have provided concrete recommendations for how businesses should respond to data subject access requests (DSARs) in a safe, secure, and timely fashion.

With no clear direction, and only a handful of tools available to help streamline requests, many companies either architected their own DSAR processing method, or began handling each request manually – a highly ineffective (and insecure) process that made DSARs even more challenging, costly, and time-consuming.

In a recent study, law firm Squire Patton Boggs reported completing the same number of DSARs in the first five months of 2019 as they’d handled during the entire year of 2018. Of 64 organizations they surveyed, 67% reported an increase in costs associated with the process of responding to DSARs, and 27% hired new personnel to deal with this growing trend.

Now, more than a year into GDPR, and with California Consumer Privacy Act (CCPA) coming into force on January 1, 2020, it’s become clear that the DSAR tidal wave is far from over, and companies need a better way to handle these requests.

DSAR Regulatory Implications

Under GDPR, even if companies have an effective process to handle DSARs, they may still be fined to the fullest extent (4% of total worldwide annual turnover or €20M, whichever is greater) if they impose unreasonable or disproportionate requirements to authenticate individuals exercising their rights to access their data.

Under CCPA, which is set to go into force on January 1, 2020, a business that responds to a verified DSAR must disclose all of the data they’ve amassed from the individual over the last 12 months prior to their request. Aggregating this data can be laborious in and of itself, but even more challenging is CCPA’s mandate for businesses to respond to a DSAR within 45 days.

The new laws might require faster turnaround time, but so do your employees and customers. Companies that don’t respond quickly enough to DSARs run the risk of being bombarded with follow-up emails and calls from impatient data subjects who expect immediate action on their requests.

Why DSARs Need Identity Verification

A recent Black Hat Conference presentation revealed just how much data companies were inadvertently sharing with fraudsters. It’s common knowledge that cybercriminals impersonate real people online, but now, they’re using their email spoofing and document falsifying skills to take advantage of a giant privacy loophole: submitting DSARs with the purpose of gaining access to personal data that isn’t theirs.

Without proper identity proofing, organizations end up doing the exact opposite of what these new global privacy regulations were intended to achieve:

  • Broadening subjects’ rights and giving them ownership of their data
  • Holding organizations accountable for their data security practices
  • Decreasing instances of fraud in an increasingly data-centric world

Identity verification should be the very first step in every organization’s DSAR workflow, and choosing a verification mechanism that produces a higher level of assurance can be especially beneficial for weeding out bad actors, bots, and other cybercriminals.

American companies that handle DSARs today are currently employing verification tactics that offer little to no assurance (e.g. self-attested verification and ID document scanning without biometric verification). Industry experts recommend stepping up DSAR verification processes by incorporating biometric verification (e.g. a driver’s license compared to a selfie) and a public records check to doubly validate that the data subject is who they claim to be, prior to handing over the personal data they’ve requested.

How Evident Helps

Evident is transforming the DSAR process. Our automated identity verification platform offers a higher level of assurance and exceptional user experience, making it easier for companies to quickly respond to DSARs with less risk, and enabling them to manage multiple verifications through a single, secure portal.

With Evident, global enterprises can verify data subjects’ identities in 177 different countries, including the U.S. and all of Europe, while helping them to protect their users’ personal data with end-to-end encryption, and to demonstrate accountability and compliance with new privacy regulations like GDPR and CCPA.

Stephanie Peterman

Stephanie Peterman is a recovering journalist with more than 13 years of marketing and communications experience. She began her career in the advertising agency world, but discovered her true passion for privacy and cybersecurity while working in the technology space. She now serves as Brand Marketing & Communications Manager at Evident.

More posts from Stephanie Peterman

Tags: , , , , , , , , , , , ,

Want more info straight to your inbox? Subscribe to our blog!

News and Resources

Get verified, personal data without the risk.