Responding to a troll GDPR Subject Access Request - Australian/NZ Version
The General Data Protection Regulation (GDPR) guidance in this post is experience based and your own response should be reviewed by a law counselor. I'm no lawyer, and many who are do not have subject matter experience (yet), so a balanced approach is playing it safe in these early days.
You may have heard that a sample SAR letter was posted and likely you've received a carbon-copy in your inbox, if so you've come to the right place. That sample letter has been widely used to harass businesses without motive other than mass disruption in most cases, Whether your business is targeted or not the SAR letter is considered legitimate (at least it is currently) and requires a response.
The following points are specific to the sample letter but can be used if you've received a similar variant, however a more sophisticated SAP letter, perhaps drafted by a lawyer, may require more thorough consultancy.
A real customer?
An obvious tell tale sign of the claimant using a copy of the sample is if it starts with (2nd sentence)
I am a customer of yours,
Are they? Have they provided any way for you to verify this? Check the letter for any indications that this is a real customer and if you cannot find any records you might feel comfortable to disregard the rest of the content in the letter at this point and simply respond with a request for the individual to identify themselves as a customer.
The letter also includes
I am including a copy of documentation necessary to verify my identity
So this claimant must have done this, right?
Getting an extension
This is a good time to mention that GDPR has a provision to extend the deadline with another two months if
- you are overwhelmed with requests, or;
- if the request is overly complex
A letter that has no way to identify themselves as a customer would not qualify for "overly complex" but if you have many letters and limited resources to dedicate to addressing them you can mail back the claimant telling them their request will take up to three months (two months extension after the one month as required under Article 12) to process giving you some time to automate some of the elements.
Australian InfoSec
Question 8 specifically asks about policies and standards.
Most Australian businesses should already adhere to the 13 APPs (Australian Privacy Principles) given they have been around for 30 years in Australian law.
Side note: New Zealand also have 12 Information Privacy Principles closely aligned to Australia's
If your business has not interacted with any company defined under "agencies" (an not an agency yourself) of the Privacy Act you might not have encountered the APPs or other Australian specific InfoSec initiatives such as;
- Office of the Australian Information Commissioner (OAIC) Assessment
- Information Security Registered Assessors Program (iRAP) from the Australian Signals Directorate (ASD)
- Australian Prudential Regulation Authority (APRA) for financial systems
- predecessor regulators were the Insurance and Superannuation Commission (ISC), the Reserve Bank of Australia (RBA), and the Australian Financial Institutions Commission (AFIC)
- The Protective Security Policy Framework (PSPF) from the Attorney-General's Department
- Australian Government Information Security Manual (ISM) from the Australian Signals Directorate (ASD)
- Restricted Authorised deposit-taking institution (ADI) Framework from Australian Prudential Regulation Authority (APRA)
There are also a lot of internationally recognised initiatives, some of the most notable;
- ISO Standards
- ISO 9001:2015
- ISO/IEC 27001:2013
- ISO/IEC 27002:2013
- ISO/IEC 27017:2015
- ISO/IEC 27018:2014
- PCI DSS 3.2 or PCI PA
- Sarbanes-Oxley (SOX)
- ISAE 3402
- SOC 1 (SSAE 16)
- SOC 2 (Trust Services and AT 101)
- SOC 3 (alternate report for SOC 2 Type 2)
- The Committee of Sponsoring Organizations (COSO)
- Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technology (COBIT)
- IT Infrastructure Library (ITIL)
- Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR)
- Center of Internet Security (CIS) Benchmarks
- Cyber Essentials Plus
There are also some country specific initiatives that are highly regarded;
- The NIST Cybersecurity Framework (NIST CSF)
- Federal Information Processing Standard (FIPS) 140-2 Level 4
- Health Insurance Portability and Accountability Act (HIPAA)
If you have no intersections with at least one of these, you may have a hard time with GDPR.
Quickly addressing questions
There are a lot of questions in the sample, however a lot can be addressed together.
Personal data processing
This is the first question int he sample and the general nature of the inquiry.
-
If you do not collect, store, or process personal data of your end-users directly, make sure you have a GDPR compliant Privacy Policy and respond now directing to the policy.
-
If you do process personal data but do not collect it from the user directly, you are what is called a sub-processor and you can direct the individual to the b2c entity that you to process the data on their behalf. Your business is subject to a high volume of this kind of fishing expedition, so you might look at automating this type of response.
-
You do collect and process personal data, so be prepared and document a Privacy Impact Assessment (PIA) for the systems that process personal data if you do not already have one (you should), and address the claimants questions.
I want a copy of my data
The GDPR is the successor of the Data Protection Directive which was a European Union directive that didn't reach beyond Europe as the GDPR does. If you operated in Europe prior to GDPR you should already be able to comply with this request due to it being required under DPA.
If you've never had a need to provide an individuals data before it should be easy because there is no formatting requirements. So an export using whatever plain-text format (like CSV, SQL inserts, JSON, XML) your database exports to can be used unmodified with little effort. However it is advised you transform the export file format so as to not have your systems identifiable and compromised.
This is one of the core rights that users get under the GDPR (and already had, under the DPD) so it would be a priority for you to automate this now GDPR non-compliance is subject to legal action and financial impacts.
How do you use my data
This question comes in many forms throughout the sample letter.
Assuming you have an existing Privacy Policy, make sure it outlines each past, current, and future uses of data processing you expect and describe time-frames you expect for these processes to operate. You must not store personal data past the disclosed periods so you may have certain changes to implement for your systems to be compliant.
Who do you share my data with
In most cases this is limited to law enforcement, or no entities at all. You may also have Master Service Agreements (MSA) or contract with another entity that you share private data with, which is the most obvious data sharing capability you might have.
However a less obvious data sharing capability a lot of modern businesses provide is an application programming interface (API) as part of a standard offering. It may even be provided indirectly if you have a web browser based service/s like a website or an intranet, in which case you should look at what kind of private information is delivered over the API.
How do you safeguard my data
Fair question.
However you have no obligation to disclose details of any controls you implement to my knowledge, or knowledge of many who have scrutinise GDPR responsibilities as I have.
Have you disclosed my data in a breach?
Australian businesses were expected to disclose data breaches since 2017, before GDPR. In fact it became a requirement February 22nd this year under the OAIC's Notifiable Data Breaches (NDB) scheme introduced in 2015, and GDPR was enforcible only 2 weeks ago (May 25th).
Given it is the individual claimants responsibility to assess the risk of harm to themselves, and I hope you have no known but undisclosed breaches, so you could satisfy the claimant with an answer or you might decide to politely respond stating there are no undisclosed breaches.
Backups of my data
Your Privacy Policy should indicate data storage including backups, and be careful about providing details of where data is stored or how it is secured because you may inadvertently disclose vulnerabilities to a bad actor posing as a customer.
Staff access to my data
In my professional experience this is a question that is not a common as I'd like. I use this question myself extensively when conducting risk assessments as it has a powerful reason to pry into service providers security practices.
For your response and perhaps an action for you to take if you don't already practice this, the best control here is that you ask all employee's and contractors to sign data confidentiality agreements and upon termination you have them sign a non-retention agreement.
Conclusion
There are a lot of examples of businesses being harassed under the guise of GDPR, and unfortunately there's free ammunition for both the legitimate and bad actors can use to disrupt your business. I fundamentally believe in the goals of our own APPs and the GDPR but know all too well the burden placed on businesses to achieve these goals, for which I obligate myself to make it as easy as possible for everyone to find useful and actionable information to reduce the burden of compliance.
If GDPR is still new to you, hopefully you've learned enough by reading my previous post and here, but I strongly recommend you become familiar and seek formal legal advice before making any decision or taking action that might cause you significant impacts.