The strategy behind data protection requests – the trilogy of data subjects, businesses and cyber-attackers

Data protection is still a frequently debated topic across multiple sectors: business, law, IT and marketing among others. In this conundrum of opinions and schools of thought, one thing is clear: personal data has become a new commodity. Even for services claiming to be ‘free’, we end up ‘paying’ with our personal data. Social media feeds daily on what we share, allowing growth of its databases and its overall position in the data-driven economy. Today, no company can dismiss data protection when carving out its business strategy. This is even more true when there is a digital platform in play. 

In the EU, the main regulatory framework is the General Data Protection Regulation (GDPR), which constitutes a model of privacy for global legal systems. From a GDPR perspective, we are called data subjects when we provide our personal data to data controllers and organisations handling it for specific purposes. For example, we disclose personal data when setting up accounts on social media, paying bills, buying museum tickets, ordering a taxi or attending online courses. Essentially, we entrust all these providers with our valuable assets as if moving them into a hypothetical vault. In return, all these service providers establish sets of rules called policies, notices, or procedures for protecting our personal data. However, just as with more materialised assets, perpetrators will always attempt to gain illegal access to these items of property or chattels. That is also the case in the cyber world, but with the nuance that creativity can easily be enhanced in terms of methods to commit unlawful acts. For example, it is less complicated to commit identity theft online than in the real world due to the flexible and borderless online space. 

As a result, in recent years data subjects have become more aware of their privacy, and this has been mirrored in the GDPR and other laws and regulations. Beginning with requesting copies of personal data, deletion or correction, the modern individual is now legally granted to know more and limit businesses in their data processing operations. The core and privacy-related rights of the individual are: 

In the plethora of business strategies, companies that process personal data – usually as a data controller – face multiple sets of obligations and responsibilities. For example, they need to set lawful retention periods for the data, securely store the data, or to ensure that data transfers are in line with the law and avoid data breaches (such as unauthorised access to the data). 

Therefore, it becomes instantly clear that the data protection rights are not only a driving force in the privacy realms, but also for the business strategy of companies. This is why, in many cases, law firms are now instructing clients to refer to these rights in order to create ‘weapons’ against data controllers that they are in a conflict with. For example, this happens quite often in practice with unfair dismissals and disciplinary actions. The individual in question submits a Data Subject Access Request, in order to (supposedly) access all the information the company stores about them. However, because the law is not limiting the exercise of this right to a specific aim, it became a tool to see what is actually written as part of such investigations. Unless the request is found to be ‘manifestly unfounded or excessive’ or is simply covered by a legal exception, the data controller will be obliged to comply with it. Nonetheless, little clarity exists in the legal sphere around what these concepts really cover. Supplementary guidance notes to the law sometimes touch upon them, but it is always on an examples-only basis. 

As a result, cyber-attackers took these considerations into account and expanded their technical solutions for obtaining more personal data. More recently, one of the methods used is to pretend the email comes from a requestor exercising such data protection rights. In this context, the attacker would rely on the fact that the GDPR allows the request to be in any format, without limitations, and would submit an ‘attached’ request. In reality, the file would be malware or any type of virus, which upon execution would infiltrate into the systems and collect whatever the attacker desires: credentials allowing access to sensitive documents or platforms, personal data of employees and clients, business sensitive information, trade secrets etc. Such techniques become a real concern for businesses and thwart their business strategy, but they are also a concern for lawyers, Data Protection Officers and authorities. In the end, it relies on misusing the regulatory freedom of the GDPR, causing harm for both, the data subjects and the data controllers.

All in all, we believe the chameleon-like nature of the data protection rights will always depend on who exercises these rights and how the law protects (and limits) this exercise. As the GDPR stands at the moment, abusing the granted rights will certainly not stop. It is still an emerging trend which seems to grow in various and less detectible ways, taking advantage of loopholes of the regulation. Ultimately, only a regulation grounded in practice would be able to cover more of these concerns and would offer more steadiness and readiness for the future ideas of cyber-attacks. Personal data may be considered the new oil, but its infinite nature makes it more difficult to protect, especially in a digital environment where borders are not clear. However, we can safely say that any and every business strategy must somehow deal with the challenge of privacy!