Topics In Demand
Notification
New

No notification found.

Weaponized DSARs and the automation to follow
Weaponized DSARs and the automation to follow

173

0

With the ever-increasing media coverage of high-profile data breaches and rising landmark fines, how data and information is handled and managed has never been more important. The growing use of Data Subject Access Requests (DSARs) by individuals or “data subjects”, activists, and cybercriminals is accelerating the move towards improvements in standardized processes and automation for handling personal information requests. 

The EU and UK General Data Protection Regulations (GDPRs) and other global privacy regulations such as the California Consumer Privacy Act (CCPA) amongst others in the pipeline in the USA, have put organizations on a positive pathway to privacy as an enabler and competitive advantage, beneficial for businesses operating in any sector. Not only have these regulations encouraged more responsible data handling, but greater transparency of how a data subject’s personal data is processed, controlled, and governed. 

However, complying with DSARs continues to be a challenging area for most organizations due to a lack of planning and preparation within their own internal DSAR process. Many departments from Human Resources to Legal and Compliance, are feeling the impact as data subjects continue to invoke their right to obtain a copy of their personal data.

With 71% of the world already adopting some form of privacy law (GDPR in the EU and the UK, and China’s Personal Information Protection Law [PIPL]) and a further 9% in draft (including five different state laws in the USA), 2023 is going to be another busy year from a DSAR standpoint.

Organizations are likely to see the continued use of DSARs by:

  • Individuals curious to see what personal data a company may be processing on them
  • Former employees seeking copies of their personal data
  • Activists attempting to cause disruption to an organization 

There is also the potential for DSARs to be used by cybercriminals as a mechanism to steal personal data. A University of Oxford-based researcher demonstrated in his GDPArrrr - Using Privacy Laws to Steal Identities paper how organizations lacking a clear and robust method for verifying data subjects can be manipulated into sending personal information to the wrong individual.

Is automation needed to handle weaponized DSAR’s?

Given these challenges and the increasingly changing regulatory landscape, organizations are likely to adopt simpler mechanisms for verifying data subjects, thus avoiding the need to process more data. By adopting data minimization principles, utilizing better data retention strategies, and making further moves towards automation will reduce the personnel load that often falls on the smaller organizations.

Blog by BSI Expert Conor Hogan, Global Practice Director – Data Governance, BSI


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


BSI enables people and organizations to perform better. We share knowledge, innovation and best practice to make excellence a habit – all over the world, every day.

© Copyright nasscom. All Rights Reserved.