Phishing the GDPR Data Subject Rights

Companies across the globe are now working toward compliance with the EU GDPR, while phishers may be preparing to exploit their new compliance processes. Airbnb first fell prey to a GDPR-related scam, with more surely to come. Unfortunately, many GDPR security efforts have focused primarily on Article 32 while overlooking new ancillary compliance program risks.

One new point of data egress usually lands outside the purview of the security team: the data subject rights established in Articles 15 to 22. This egress can become exfiltration when an organization’s support team provides data to a phisher impersonating a legitimate data subject. Organizations may design lenient data subject rights processes with minimal identity verification in hopes of avoiding data subject complaint fines. When self-service methods aren’t possible, how can organizations honor these rights without falling victim to phishing attacks?

Involve the Security Team

Controllers overwhelmed with a high request volume or very complex requests can extend the standard one-month processing time by an additional two months, giving a maximum of three months to process requests (Article 12.3). Consult the security team when designing the response procedure, whether it is manual, self-service or some combination thereof. Include the process in your risk assessment and request a security review, especially where there is sensitive or special category data.

Limit Personal Data Sent Out of the Organization

Practice data minimization in the amount of personal information sent outside of the organization in response to rights requests. Controllers with a significant amount of information in an individual’s record can ask the data subject if they would like to specify a data type or processing activity for the request rather than providing the full record (Recital 63). If possible, limit the scope to deliver only what the data subject truly wants—and no more—rather than sending the entire record by default. Controllers do not have to send information that the data subject already has or can access (Article 13.4 and Recital 62). Ask if the individual simply needs help with account access, a password reset or finding their data.

Read full article at Security Boulevard


About the Author

Amber Welch

Amber Welch is a Privacy Technical Lead for Schellman & Company, LLC. With more than 6 years of experience as a technical writer and privacy and security governance consultant, she is dedicated to GDPR and other privacy-focused engagements. Amber has served as a panelist during Black Hat and published several articles on recent privacy developments. She holds a master’s degree from the University of Nebraska, as well as the CIPP/E and CCSK designations from the International Association of Privacy Professionals and the Cloud Security Alliance.

More Content by Amber Welch
Previous Article
Australia’s Anti-Encryption Collision with GDPR Sub-Processing
Australia’s Anti-Encryption Collision with GDPR Sub-Processing

On December 6th, Australia passed a surprising law with a global impact on privacy. The new law ...

Next Article
GDPR – Perspective from a Seasoned Auditor 3 Months in @ BoxWorks
GDPR – Perspective from a Seasoned Auditor 3 Months in @ BoxWorks

This week, I had the privilege of sitting on a panel, with Crispen Maung, the chief compliance o...