Data Subjects Access Requests (DSARs) have been on the rise since the European Commission gave the nod to the General Data Protection Regulation (GDPR). There are many things to consider when your company receives a DSAR, including verifying the requestor's identity, reviewing the information requested, and redacting any information related to other people.
However, one of the most important things to consider is how to manage and transfer the requestor's data. It is common to rely on the same accessible platforms that we use to communicate every day, like Email. However, doing this will put potentially sensitive information at risk.
According to WebMD, the likelihood of a data breach of at least 10,000 records is higher than the chances of you catching flu this winter. This essentially means that emails and any other system that is not entirely encrypted must be out of the question when dealing with DSARs.
There is a reason why many privacy professionals shudder from dealing with DSAR. First, there is a massive stockpile of data to scan through, review, and react. All this is time-consuming. Then, there is the potential that the DSAR was inspired by ill intent. Even worse, there is the ever-present possibility that private information could fall into the wrong hands in the process of handling the DSAR.
Security Lapses That Makes Email Unsuitable for Handling DSARs
Yes, we all use Email daily. However, this platform isn't as secure as you may have thought. Here are a few security lapses which make Email unsuitable for handling DSARs.
1. Encryption: You must ensure that any platform you use to manage DSARs comes with end-to-end encryption. Unfortunately, not all emails are encrypted. Most email platforms use point to point encrypted. While this is good, your data is virtually unprotected when it reaches the recipient's server where it is stored.
Gmail and Outlook are known to encrypt data by default while in transit. However, Google does admit that its encrypted technology is not a foolproof way to avoid unauthorized access to data. According to the company, it is still possible for hackers to access encrypted information, although it is more complicated.
2. Malware: Even if your Email is encrypted, and the destination server is also encrypted, the presence of malware on your device trumps these measures. Malware is insidious, and there are many ways they can infect your computer, including through attachments, URLs, and much more.
Ransomware is one of the most popular types of malware today, but there are hundreds, and hackers keep creating more every day. Malware can work in the background and transfer confidential information to unauthorized persons.
3. Weak Passwords: Another reason why emails are unsuitable for handling DSARs is the possibility that someone can access your Email due to an insecure password. Even if you take the time to create an impenetrable password, the chances are that one of your colleagues who has access to the same information hasn't done so. This creates a security loophole that unscrupulous persons could easily explore to access sensitive information.
4. Lost Devices: Even if you took precautions to nullify the possibilities of any of the email security lapses highlighted above, what happens when one of your employees loses his/her device? Anyone with access to the device will essentially have a trove of confidential information.
The fact is that security wasn't the central focus of the people who designed emails.
So, What's the Best Way to Handle DSARs?
The best system to use to handle DSARs is one that guarantees complete encryption - both in storage and in transit - using the latest encryption technology. Ultimately, there is no better way to ensure the safety of sensitive user information than creating a company server. With a company server (whether in-house or on the cloud), you can take control of protecting your user data. This includes having an in-house encryption protocol (that is updated and monitored regularly) as well as having an in-house platform that you can trust for handling DSARs and other sensitive information.
Even with an in-house server and platform, it is essential to have clear policies to regulate how employees handle information. This should span everything from identifying which information to turnover when responding to DSARs, recording the request, verifying the requester's identity, checking if there are legal limitations that prevent sharing the data in question, managing the information, and sharing it.
The way user data is handled is significant to prevent your organization from landing in legal troubles. If your employees are using a virtualized desktop, it should be clear to everyone that storing data anywhere except the company's server is prohibited. Also, if you have remote workers, they must understand that using public WiFi to access the company's server is against the rules.
These precautionary measures go a long way to guarantee that unauthorized persons cannot get access to sensitive data when you are dealing with DSARs. If information is accidentally sent to a third-party department or a person happens to share it with an unprotected system, there must be a laid out procedure to trace the information and delete it (as well as the backup, if any).
Having a clear procedure for handling DSARs is particularly important as companies are obligated to respond to requests within 45 days. Many organizations out there tend to overlook the importance of preparing for DSARs as they have never received them. This is a wrong approach that could lead to several issues down the line. More DSARs are expected to come through to companies over the coming years.
Emails will remain the standard for communication within companies as well as with external parties (like customers and other organizations). However, there are inherent security gaps that make the platform unsuitable for handling confidential information like DSARs. With rapid advancements in technology, there is a possibility that Email may become an impenetrable platform in the future. However, at the moment, this is not the case. Therefore, organizations must take measures to protect sensitive data.
We take privacy seriously. While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.