Earlier this year, an Oxford Ph.D. student made a presentation at the Defcon Black Hat conference where he detailed how he sent bogus data subject access requests to 150 organizations. He posed as his fiancee for this experiment and ultimately received 60 different pieces of information from his inquires.
The studentâ€™s experiment naturally raised concerns about how organizations can properly verify the identity of the individual who sends data subject access requests.
Evident Founder and CEO David Thomas was paying attention to the presentation, as well, as it tied into a new solution his company was prepared to release. The organization unveiled its Verified Data Request tool during the recently concluded IAPP Privacy. Security. Risk. conference in Las Vegas.
The tool allows an organization to adjust the level of verification they need for a data subject to verify their identity after they submit a request under the EU General Data Protection Regulation, the California Consumer Privacy Act or any other privacy law.
â€œIf itâ€™s a use case where there is very little data on a data subject and therefore the friction of proving their identity should be low, we can support that,â€� Thomas said. â€œIf itâ€™s on the opposite end of the spectrum and they have quite a bit of data or itâ€™s a very sensitive deletion request, we can offer a high friction way of verifying the identity of the participant.â€�
When an organization needs more information to verify a requesterâ€™s identity, Thomas said they can adjust the tool to ask for anything from a government ID, a passport or even another form of identification akin to a utility bill. The tool also allows a data subject to attach an image of their face to prove their identity.
Thomas acknowledges that this approach presents a conundrum. In order to verify a personâ€™s identity for a data subject request, they must produce more data. Thomas wanted to ensure the solution helped to avoid this issue.
â€œWe make sure that the business receives only the bare minimum of whatâ€™s required,â€� Thomas said. â€œThey are not expanding their data problem and all of sudden collecting images of passports, which could escalate the seriousness of the data they are holding.â€�
Companies can either integrate the tool into their existing services or use it in a manner similar to DocuSign and send the verification requirements to the email address tied to the person who made the data subject access request or to an email address a company has on file. Should a company choose to use the external method to deliver the correspondence, Thomas said they can use a dashboard to send and review each outgoing probe.
The solution provides recommended templates for the CCPA and GDPR; however, organizations can customize their own templates to suit their needs, Thomas said.
Data subject access requests have been a topic of concern since the GDPR started to gain traction. Thomas and Evident sought to take on the verification component of these requests as they continued to hear how it had become a hassle for customers.
â€œThis has been based on customer demand very clearly,â€� Thomas said. â€œWe saw what happened at the Defcon presentation, and we realized the attention was increasing around this, and there are very few solutions to address it.â€�
Thomas believes organizations are only now starting to understand the costs tied to processing data subject requests, which is why no one has created a similar solution previously. This can be particularly troubling for smaller companies that have to deal with requests that may contain a lot of legal language.
â€œThe requests can be so costly to process that they need some way to solve this,â€� Thomas said. â€œThey have the requirement to identify these data subjects, but they also need to make sure that if they are going to incur the costs of processing the requests that they are actually doing it for someone who is making a proper request.â€�
Thomas plans for Evident to add new templates to the tool should new privacy laws come to fruition. He added the company is prepared to add new techniques to its offering in the event of a seismic regulator shift to DSARs; however, he does not expect that to ultimately be the case.
As for the reaction he heard from P.S.R. attendees, Thomas simply described it as â€œexcellent.â€� The people who visited the Evident booth on the Exhibit Hall had a wide variety of questions and needs, and it filled Thomas with enthusiasm. Not just about Evidentâ€™s product specifically, but also about the outlook of privacy technology going forward.
â€œWhat Iâ€™ve seen out of the attendees of this conference is everybody is looking for the right ways to innovate in this space. Not just around DSAR requests, but around privacy controls and technical controls in general,â€� Thomas said. â€œI love the mentality of the people who are here. Itâ€™s not only about the policies, but itâ€™s about looking for ways to deploy technologies that makes these policies a reality and enables visibility into how things are working across their company. I think those are very positive trends.â€�
Photo by Cashman Photo