Is your GDPR SAR implementation putting you at risk?

Email my passport for a GDPR SAR?

In a cruel twist of fate and for some an inevitable irony, the GDPR might just be responsible for the unnecessary proliferation of highly sensitive documents by insecure means.

Thousands of organisations in the UK and Europe (at least those who give a hoot) have set out their GDPR stall. They have updated Privacy Policies, sent out consent emails in one form or another and have implemented a SAR process.

If you thought that every GDPR email you received was different and wondered why that should be, then just imagine what the SAR processes look like.

  • Who should I write to?
  • What is their position?
  • How do I submit my request?
  • How do I get my data?

GDPR Auditing are already seeing evidence of many different flavours of the above, not all of them sticking the spirit of GDPR or even in some cases the legal aspects either.

One Regulation – One set of Rules

The regulation sets out the requirements for Subject Access Requests quite clearly.

  • You can ask any organisation if they hold information about you
  • If they do they can quite rightly ask you for identification
  • Identification should not be too onerous and should be proportional

If, for example, you had some kind of account with an online resource then surely this should be sufficient.

If you never had a relationship with an organisation then how should they identify you?

Passport, Driving Licence, Utility Bill

A rather more worrying trend is for organisations to ask for sensitive pieces of documentation to identify individuals.

“Please send copy of your passport, or driving licence, and credit/debit card or utility bill to verify you details.”

But hold on a minute, send these identification items to an organisation that would never have had them in the first place, via email, really?

The question here is, how does the information requested identify the subject, a passport does not have an address on it, it does have a DOB, which for most organisations they won’t have or should not have collected, it has biometric data on it, as it has a photograph.

So how are these organisations going to use this very sensitive and personal data to verify who the data subject is? Are they performing, some kind of Know Your Customer (KYC) check – equivalent to the finance industry. Who is doing it on their behalf, has the data subject agreed to this level of scrutiny.

Burden of Proof

It seems as if organisations are trying to shift the burden of proof onto the data subject and, far from following the logical process to request the appropriate, proportional identification, are heading straight down the:

“we are going to make damned sure we know who you say you are route” – even if this tactic means collecting more personals data from the individual than they might have had to begin with.

This sledgehammer approach opens up a whole can of worms since the organisation is now collecting information it potentially never had in the first place, for a purpose which is not covered by any privacy policy, almost certainly isn’t covered by the data retention schedule, and most likely isn’t being secured properly.

Every data subject should expect to provide some identification information, we don’t want our personal details being sent to just anyone. However, data subjects shouldn’t be put into the position of having to spray sensitive documents all over the internet, to get at their personal data.

Issues with this Approach

Consider this, how can a current utility bill or otherwise help if I am enquiring about a service before my current address?

Unless you had my passport details to begin with what is to be gained from asking for it? John Smith could be any John Smith and if you don’t have their DOB then where does it leave you.

Most organisations might have a name and an email address which is enough to classify it as personal data and, if that is the case, then why is sending the request back to that email address not sufficient.

What should Organisations Do Then?

Subject Access Requests – or more importantly requests (as not all requests may be for access) need to be dealt with in a structured, proportional manner, there is not a one size fits all solution.

If you can avoid collecting more personal details than you currently hold then this should be your approach.

You also need alternative ways of identifying individuals.

If you are going to ask for extra information, you need a secure mechanism for receiving it and a bullet proof process for storing it securely, and removing it once you are finished, not to mention tracking all this for accountability.

GDPR Auditing was founded by Philip Mather and Vakis Paraskeva, with over 50 years Information technology, Security, Development, and compliance experience between them.

If you need help with the next phase of GDPR, building solutions, developing processes and procedures, securing your IT, then contact us. With our delivery focused background and our many satisfied clients we believe GDPR Auditing are better placed than most to assist your business with GDPR.

Contact us

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR please contact us at or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2018.