Weaponized DSARs and the automation to follow

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Environmental, Health, Safety, Security, and Sustainability.
 
January 11, 2023 - With the ever-increasing media coverage of high-profile data breaches and rising landmark fines, how data and information is handled and managed has never been more important. The growing use of Data Subject Access Requests (DSARs) by individuals or “data subjects”, activists, and cybercriminals is accelerating the move towards improvements in standardized processes and automation for handling personal information requests. 
 
The EU and UK General Data Protection Regulations (GDPRs) and other global privacy regulations such as the California Consumer Privacy Act (CCPA) amongst others in the pipeline in the USA, have put organizations on a positive pathway to privacy as an enabler and competitive advantage, beneficial for businesses operating in any sector. Not only have these regulations encouraged more responsible data handling, but greater transparency of how a data subject’s personal data is processed, controlled, and governed. 
 
However, complying with DSARs continues to be a challenging area for most organizations due to a lack of planning and preparation within their own internal DSAR process. Many departments from Human Resources to Legal and Compliance, are feeling the impact as data subjects continue to invoke their right to obtain a copy of their personal data.
 
With 71% of the world already adopting some form of privacy law (GDPR in the EU and the UK, and China’s Personal Information Protection Law [PIPL]) and a further 9% in draft (including five different state laws in the USA), 2023 is going to be another busy year from a DSAR standpoint.
 
Organizations are likely to see the continued use of DSARs by:
  • Individuals curious to see what personal data a company may be processing on them
  • Former employees seeking copies of their personal data
  • Activists attempting to cause disruption to an organization 
There is also the potential for DSARs to be used by cybercriminals as a mechanism to steal personal data. A University of Oxford-based researcher demonstrated in his GDPArrrr - Using Privacy Laws to Steal Identities paper how organizations lacking a clear and robust method for verifying data subjects can be manipulated into sending personal information to the wrong individual.

Is automation needed to handle weaponized DSAR’s?

Given these challenges and the increasingly changing regulatory landscape, organizations are likely to adopt simpler mechanisms for verifying data subjects, thus avoiding the need to process more data. By adopting data minimization principles, utilizing better data retention strategies, and making further moves towards automation will reduce the personnel load that often falls on the smaller organizations.
 
Follow along with Conor Hogan’s series on digital chaos as he discusses the concept of digital trust and compliance fundamentals. For more insights on other Digital Trust, Privacy, Information Security, Supply Chain security, and Environmental, Health, and Safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.