Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data

Abstract : With the GDPR in force in the EU since May 2018, companies and administrations need to be vigilant about the personal data they process. The new regulation defines rights for data subjects and obligations for data controllers but it is unclear how subjects and controllers interact concretely. This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of access of her own data? When does a data controller have enough information to authenticate a data subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities and authentication practices implemented in popular websites and third-party tracking services. We observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects. The most common flaw is the use of authentication based on a copy of the subject's national identity card transmitted over an insecure channel. We define how a data controller should react to a subject's request to determine the appropriate procedures to identify the subject and her data. We provide compliance guidelines on data access response procedures.
Document type :
Conference papers
Liste complète des métadonnées

https://hal.inria.fr/hal-02072302
Contributor : Cédric Lauradoux <>
Submitted on : Tuesday, March 19, 2019 - 9:24:08 AM
Last modification on : Wednesday, March 20, 2019 - 1:09:35 PM

File

right.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02072302, version 1

Citation

Coline Boniface, Imane Fouad, Nataliia Bielova, Cédric Lauradoux, Cristiana Santos. Security Analysis of Subject Access Request Procedures How to authenticate data subjects safely when they request for their data. 2019 - Annual Privacy Forum, Jun 2019, Rome, Italy. pp.1-20. ⟨hal-02072302⟩

Share

Metrics

Record views

967

Files downloads

895