Loading…
Close icon
Find us quickly

130 Wood Street, London, EC2V 6DL
enquiries@buzzacott.co.uk    T +44 (0)20 7556 1200

Google map screengrab

When a Data Subject Access Request is not all it seems!

There are concerns that the Data Subject Access Request widely publicised as part of our rights under GDPR might be used as a vehicle for identity theft.
 

Using social engineering techniques (LinkedIn, Facebook etc) it is feasible that a Data Subject Access Request (DSAR) may contain enough information for you to assume that the data request is genuine.

The valuable information you hold (particularly on ex-employees) could be used for identity theft or fraud. You might be called, as part of the request, to supply valuable items such as name, address, date and place of birth, national insurance number; all great ingredients of an identity thief’s toolkit.

We recommend that your privacy policy states clearly that your DSAR process requires a robust verification of identity and address and that it is reinforced by independent confirmation.

If possible, seek to engage the requestor to both clarify the scope of the request and to ensure that you have sight of originals or certified copies of originals. Bear in mind that whilst identity verification may not be used to unduly delay a response, the DSAR clock does not start ticking until you have received the required information and may be required to prevent an inadvertent breach.

About the author

David Fardell

+44 (0)20 7556 1437
fardelld@buzzacott.co.uk

Using social engineering techniques (LinkedIn, Facebook etc) it is feasible that a Data Subject Access Request (DSAR) may contain enough information for you to assume that the data request is genuine.

The valuable information you hold (particularly on ex-employees) could be used for identity theft or fraud. You might be called, as part of the request, to supply valuable items such as name, address, date and place of birth, national insurance number; all great ingredients of an identity thief’s toolkit.

We recommend that your privacy policy states clearly that your DSAR process requires a robust verification of identity and address and that it is reinforced by independent confirmation.

If possible, seek to engage the requestor to both clarify the scope of the request and to ensure that you have sight of originals or certified copies of originals. Bear in mind that whilst identity verification may not be used to unduly delay a response, the DSAR clock does not start ticking until you have received the required information and may be required to prevent an inadvertent breach.

close back
Your search for "..."
did not yield any results.
... results for "..."
Search Tags