Companies across the globe are now working toward compliance with the EU GDPR, while phishers may be preparing to exploit their new compliance processes. Airbnb first fell prey to a GDPR-related scam, with more surely to come. Unfortunately, many GDPR security efforts have focused primarily on Article 32 while overlooking new ancillary compliance program risks.
One new point of data egress usually lands outside the purview of the security team: the data subject rights established in Articles 15 to 22. This egress can become exfiltration when an organization’s support team provides data to a phisher impersonating a legitimate data subject. Organizations may design lenient data subject rights processes with minimal identity verification in hopes of avoiding data subject complaint fines. When self-service methods aren’t possible, how can organizations honor these rights without falling victim to phishing attacks?
Involve the Security Team
Controllers overwhelmed with a high request volume or very complex requests can extend the standard one-month processing time by an additional two months, giving a maximum of three months to process requests (Article 12.3). Consult the security team when designing the response procedure, whether it is manual, self-service or some combination thereof. Include the process in your risk assessment and request a security review, especially where there is sensitive or special category data.
Limit Personal Data Sent Out of the Organization
Practice data minimization in the amount of personal information sent outside of the organization in response to rights requests. Controllers with a significant amount of information in an individual’s record can ask the data subject if they would like to specify a data type or processing activity for the request rather than providing the full record (Recital 63). If possible, limit the scope to deliver only what the data subject truly wants—and no more—rather than sending the entire record by default. Controllers do not have to send information that the data subject already has or can access (Article 13.4 and Recital 62). Ask if the individual simply needs help with account access, a password reset or finding their data.
Read full article at Security Boulevard