Data subject access requests pose GDPR risk

Data subject access requests pose GDPR risk

gdpr - data subject access requestsData subject access requests are a key part of GDPR. By allowing users to request a copy of the data an organisation holds on them, they ensure transparency and give users the awareness and ability to protect their information.

However, an unexpected side-effect is that they are also posing a risk to users because organisations are not taking sufficient steps to check the legitimacy of such requests.

The issue was discovered by Oxford University PhD student James Pavur. Having sent 150 data subject access requests in his fiancé’s name, he was given her data by almost a quarter of organisations with no more confirmation of identity than her email address or phone number.

As reported by Econsultancy:

Clearly, subject access creates a significant and previously not well-publicized risk for businesses.


While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.


Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.

You can read the full article from Econsultancy here:

The data that Pavur gained access to was often of a sensitive nature. In one case, he was able to obtain his fiancé’s US social security number without providing any documentation. He also obtained bank details and breached usernames and passwords that were still in use.

All of this indicates that there is still a long way to go when it comes to GDPR compliance. In attempting to comply with the law over data subject access requests, organisations were actually failing in their obligations to protect user data.

If you’re uncertain about how to ensure GDPR compliance, Activa Consulting can help. Get in touch with us today and our expert data protection consultants will provide the guidance that you need.

Google ordered to stop manual review of recordings via Article 66

Google ordered to stop manual review of recordings via Article 66

google - article 66Under GDPR’s Article 66, Google has been ordered to stop manually reviewing audio recordings from its Google Assistant Service because the process breaches data protection laws.

This follows a data breach last month of more than 1000 recordings. A Belgian News Site, VRT, was able to identify people from the clips given to them, including such data as their addresses and medical conditions.

While Google has taken steps to report the breach to the Irish Data Protection Commission (DPC), it’s the fact that it has been forced to stop processing this data that is most significant here.

As reported by TechCrunch:

The real enforcement punch packed by GDPR is not the headline-grabbing fines, which can scale as high as 4% of a company’s global annual turnover — it’s the power that Europe’s DPAs now have in their regulatory toolbox to order that data stops flowing.


“This is just the beginning,” one expert on European data protection legislation told us, speaking on condition of anonymity. “The Article 66 chest is open and it has a lot on offer.”

This seems to be the first time that Article 66 has been implemented, but it demonstrates that GDPR is a powerful tool for data protection regulators. Not only can it levy big penalties after a data breach has occurred, it can force organisations to change their procedures.

The key requirement is that there is an “an urgent need to act in order to protect the rights and freedoms of data subjects”, which there was here.

This case also demonstrates that data can include such things as video and audio recordings. Personal data is anything that can be used to identify a person, whether on its own or in conjunction with other information.

Not sure whether your organisation’s data handling processes are compliant with GDPR? Our expert advice can help. Contact us today to find out how our consultancy services can help you!

E3 data breach leaks data of 2000 journalists

E3 data breach leaks data of 2000 journalists

game controllers - e3 data breachE3 (the Electronic Entertainment Expo) is one of the biggest events in the calendar for video gaming – but it’s recently been revealed that a data breach at this year’s event left data exposed for over 2000 people.

This E3 data breach came as a result of a spreadsheet that was published on the event’s website and made publicly available.

As reported by Kotaku:

The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.

You can read Kotaku’s full report on the story here:

While the ESA moved quickly to plug this breach and limit the danger to users, they made a crucial mistake. They deleted the page containing the link to the spreadsheet – but after the story broke in the news, it was found that the spreadsheet itself was still accessible.

This E3 data breach could potentially be very costly for ESA. With journalists attending the event from all over the world, they could find themselves subject to investigations and penalties under multiple different data protection laws, including GDPR.

Kotaku also updated their report to note that ESA provided the following statement:

In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files have either been taken down or are in the process of being removed from the third-party site.


We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.

But with the data already out there, the damage has likely already been done.

Contact us straight away if you’re concerned about the possibility of a data breach at your organisation. Under GDPR, the fines can be severe: up 20 20 million euros or 4% of annual turnover per breach!

CEOs unaware of GDPR non-compliance

CEOs unaware of GDPR non-compliance

data - gdpr non-complianceA new investigation by Delphix has uncovered some worrying information about GDPR non-compliance in the UK, with many businesses unaware of their failings to meet their obligations under GDPR.

Despite the fines and penalties involved in GDPR non-compliance – as can be seen from the recent British Airways fine – many organisations seemed unaware of the need to be careful with personal data.

Employees revealed that they are often unaware of whether they are GDPR compliant or not, with some showing little concern about the matter. One chief information security officer (CISO) even admitted to lying to their CEO about the company’s compliance levels.

As reported by DataCentreNews:

“These confessions should come as a wake-up call to the C-suite,” says Delphix CTO Eric Shrock.


“It is clear that the vast majority of top-level execs are blissfully unaware of how easily accessible their highly sensitive data is,” he adds.


“Pair that with growing frustration amongst developers looking to acquire data quickly and we have the perfect recipe for disaster.”

You can read the full article from DataCentreNews here:

That data protection awareness is not better at the very highest levels of business should be a major concern. It’s often at these levels that people have the most access to personal data.

Data protection and awareness of GDPR should always be incorporated into business processes by design and default. By implementing this philosophy, the kinds of lapses that Delphix uncovered are much less likely to occur.

It’s also important that data protection training be carried out across the entire organisation, from both the lowest level employee to the highest. Anybody within an organisation can be responsible for a data breach; improving awareness of a company’s GDPR non-compliance starts by educating the workforce.

Here at Activa Consulting, we offer a range of staff training options, both in-person and online, to help minimise the risk of data breaches and the resulting fines. If you’re concerned about your compliance levels, get in touch with us today!

Facebook “Like” button could be GDPR risk

Facebook “Like” button could be GDPR risk

facebook like button imageIt’s common to see the Facebook Like button on websites these days, but it may be a danger to those sites as a result of a new ruling from the European Court of Justice

The court has decided that the website owners themselves are responsible for the data collected through the button. They are therefore also liable in cases where this data could be breached.

Given the social media giant’s infamous history regarding data protection issues, there’s good reason to be worried about the Facebook Like button. As reported by The Drum:

In their ruling the judges say the use of such widgets by any organisation amounts to being a joint data controller, meaning that websites “must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing.”


The darker side of Facebook’s Like button has come to prominence in recent months on the back of a series of privacy scandals to rock Facebook, with analysts pointing out that its primary function isn’t as a digital show of support but a tool to track individuals and permit data collection beyond Facebook’s products.


This was brought to light in a case involving German retailer Fashion ID which was sued by consumer rights group Verbraucherzentrale NRW over its use of the Facebook widget which escalated to the ECJ, which has now determined that Fashion ID must be considered a data controller in terms of both the collection and transmission of data.

You can read the full article here:

Becoming complicit in Facebook’s data protection failings is an extremely dangerous thing to do – and considering its track record, could potentially bring certain companies to their knees. Many websites would therefore do well to completely remove the Facebook Like button.

This demonstrates how important it is to be aware of not only your own data protection processes, but also those of third-party developers and services.

You may believe your organisation to be GDPR compliant, but if you are using the services of one which isn’t, you will still be liable for any data breaches that occur as a result of their failings.

If you think this is a concern at your company, we can help. Contact us today – our GDPR consultancy services can help improve your compliance levels and reduce the data protection risks businesses face.

Data stolen from Lancaster University students

Data stolen from Lancaster University students

student - data stolenA malicious phishing attack has resulted in Lancaster University students and applicants having data stolen, with the data then being used to send fake invoices to applicants.

The data stolen included sensitive information such as names, phone numbers, email addresses, and ID documents. The breach apparently occurred as a result of the university’s systems being compromised.

In the BBC’s analysis, it was stated that:

Lawyer Helen Davenport, who advises clients on cyber security, said it was “essential” sectors such as higher education took cyber-security risks “seriously” and put training and software in place to “proactively shield against future attacks”.


She said “all eyes” would now be on how the attack had impacted students’ data and how the university intended “to guard against something likely to be attempted again”.


Failure to do so “could affect the attractiveness of the university to future candidates”, she added.

The full article from the BBC can be read here:

It’s important to note that although this breach is potentially very damaging for the students affected, Lancaster University has responded swiftly and efficiently. Since becoming aware of the breach on Friday, the university has taken steps to notify both the Information Commissioner’s Office (ICO) and the National Crime Agency NCA.

It is also moving to protect its data subjects, securing its systems and contacting those affected with advice.

Having good procedures in place in case of a data breach will always be regarded favourably by the ICO. It will be a long time before we discover what penalty Lancaster University faces, but by taking the actions it has, it has likely reduced any fines.

If you’re uncertain about the correct procedures to follow in case of a data breach, we can help here at Activa Consulting. Click here to get in touch with us about our wide range of consultancy offers, including self-management software and interim Data Protection Officer services.