How Virtru Takes the Adventure Out of Right of Access Requests

The European Union’s General Data Protection Regulation (GDPR) came into effect last year just as a range of data misuse and abuse allegations dominated mainstream discussions in the United States. This new regulatory landscape, coupled with increased consumer interest in how their data is being accessed, used, and shared, prompted an interesting GDPR request last week based on Netflix’s Black Mirror: Bandersnatch choices. As part of their compliance with this data request, Netflix leveraged Virtru’s email encryption. They quickly and securely shared the data, demonstrating both the privacy as well as the compliance inherent within the Virtru platform.

The GDPR is one of the most far-reaching regulatory change in decades, introducing a range of data privacy and protection regulations to safeguard the data of European Union citizens. Among the many impactful regulatory changes, the GDPR includes a Right of Access wherein, “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”, including the purpose of the collection and the existence of automated decision-making including profiling.

A tech policy researcher, Michael Veale, decided to leverage the GDPR’s Right of Access to ascertain how much user data Netflix stored. He wasn’t interested in Netflix’s algorithms for recommendations or profiling of his viewing decisions. Instead, Veale wanted to know whether Netflix stored Black Mirror: Bandersnatch choices. Bandersnatch broke ground in providing an interactive watching experience, where the viewers determine specific character actions and the various plot twists. Veale was curious whether and how Netflix stored these plot decisions.

Veale’s findings have been well-documented in Motherboard and Gizmodo, and highlight the extent of the interpretation of ‘personal data’ which is likely to continue to evolve. Veale acknowledges Netflix’s thoroughness to his request, and provides a detailed overview of the data Netflix provided within a Twitter thread.

How did Netflix comply with this GDPR Right of Access request? According to Veale, they provided the file to him through an encrypted email using Virtru.

 

 

Virtru’s emphasis on usable encryption streamlined this entire process for both Netflix and Veale. Using their existing management tools, companies like Netflix download and deploy Virtru, which seamlessly works with their existing email client, such as Gmail and Microsoft. From there, senders are always granted the option to encrypt or not, and can designate additional privacy policies such as revoking access and limiting forwarding. If the recipient also has downloaded Virtru, they simply open the message in their email client. If the recipient doesn’t have Virtru, they can access Virtru Secure Reader to decrypt and view the message after verifying their identity. Because the message and file are encrypted from the sender to the recipient  (i.e., end-to-end), if the data is intercepted, it will be unreadable to anyone other than the intended recipient.

For organizations needing to respond to Requests for Access, Virtru expedites the compliance process. Both the California Consumer Privacy Act and HIPAA similarly have Request for Access deadlines, and given the increasing concern about data misuse, these requests are only likely to increase. In fact, organizations increasingly are concerned about their ability to comply with the GDPR and to provide the data within the one month window and without undue delay. This is especially difficult given the rise of these requests which has increased by one-third since the GDPR came into effect according to one poll of healthcare practices.

As the GDPR and similar regulations come into effect, organizations will likely find themselves soon in similar positions to Netflix. Virtru protects data across the full life cycle – from sender to recipient and beyond – helping organizations quickly adapt to the shifting regulatory environment.  Learn more about how Virtru helps with GDPR compliance and protects data.