Data subject access requests pose GDPR risk

Data subject access requests pose GDPR risk

gdpr - data subject access requestsData subject access requests are a key part of GDPR. By allowing users to request a copy of the data an organisation holds on them, they ensure transparency and give users the awareness and ability to protect their information.

However, an unexpected side-effect is that they are also posing a risk to users because organisations are not taking sufficient steps to check the legitimacy of such requests.

The issue was discovered by Oxford University PhD student James Pavur. Having sent 150 data subject access requests in his fiancé’s name, he was given her data by almost a quarter of organisations with no more confirmation of identity than her email address or phone number.

As reported by Econsultancy:

Clearly, subject access creates a significant and previously not well-publicized risk for businesses.


While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.


Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.

You can read the full article from Econsultancy here:

The data that Pavur gained access to was often of a sensitive nature. In one case, he was able to obtain his fiancé’s US social security number without providing any documentation. He also obtained bank details and breached usernames and passwords that were still in use.

All of this indicates that there is still a long way to go when it comes to GDPR compliance. In attempting to comply with the law over data subject access requests, organisations were actually failing in their obligations to protect user data.

If you’re uncertain about how to ensure GDPR compliance, Activa Consulting can help. Get in touch with us today and our expert data protection consultants will provide the guidance that you need.

30% of EU businesses fail GDPR compliance

30% of EU businesses fail GDPR compliance

A new survey of EU firms by RSM has discovered that 30% admitted that they fail GDPR compliance – and that a further 13% were not certain whether they are compliant or not. This leaves only 57% confident in their data protection processes.

This is worrying news given that it has been over a year since GDPR came into force. All of these organisations should have been prepared in advance, and ensured that they were compliant before 25th May 2018.

But because they fail GDPR compliance, they are putting themselves at risk.

As reported by Silicon:

It seems that there is no single issue to blame for non-compliance, but middle market businesses are apparently struggling to understand and implement a whole range of areas covered by the regulation.


The survey found that more than a third (38 percent) of non-compliant businesses do not understand when consent is required to hold and process data, 35 percent are unsure how they should monitor their employees’ use of personal data and 34 percent don’t understand what procedures are required to ensure third party supplier contracts are compliant.


The good news however is that despite the lack of compliance, GDPR is starting to have a positive impact on cyber security.


According to RSM, almost three quarters (73 percent) of European businesses say GDPR has encouraged them to improve the way they manage customer data and 62 percent say it has seen them increase their investment in cyber security. But alarmingly 21 percent of businesses admit that they still have no cyber security strategy in place.

You can read the full article here:

It therefore seems as if GDPR’s overall effect so far has been mixed. But with fines starting to appear thanks to GDPR – with British Airways recently receiving a record penalty of £183 million from the ICO – firms need to start taking their compliance more seriously.

We would always advise that data protection should be by design and default. Aside from the potential financial dangers of not being GDPR compliant, these firms are also risking a loss of trust from their customers and not being as efficient as they could be.

If you’re concerned that your organisation fails GDPR compliance, or want to further improve your data protection procedures and therefore your efficiency, click here to contact us today and find out more about our GDPR consultancy packages.

Private messages for sale from 81,000 hacked Facebook accounts

Private messages for sale from 81,000 hacked Facebook accounts

News has broken that 81,000 hacked Facebook accounts have had their private messages stolen. The hackers are now attempting to sell this data on, at the price of 10 cents (8p) per account, and are also claiming that they have obtained details from even more accounts – 120 million – although this has not been verified.

hacked facebook accounts hackerFacebook has already faced huge problems regarding data protection. It was fined £500,000 earlier this year for its role in the Cambridge Analytica scandal, and it now looks like it will be facing further penalties from the Information Commissioner’s Office (ICO). Regardless of the scale of this latest breach, things are looking bad for the social media giant.

Whatever happens next, a new fine will tell us something useful. The Cambridge Analytica scandal took place before GDPR came into effect in May, so the fine against Facebook was brought according to the pre-existing data laws. Specifically, it came under the Data Protection Act 1998. A new fine relating to this latest breach, however, will fall under GDPR.

It’s important to note that Facebook have not been able to hide behind being a US company. And as it turns out, they may have been fortunate that the Cambridge Analytica scandal was exposed before May 25th; it’s impossible to say what the fine would have been under GDPR, but it may well have been considerably greater than £500,000.

No matter what, though, the single biggest issue here is the ongoing risk to users. Facebook is a built around people’s personal data, but has so far been unable to provide adequate protection for that data. If the trend continues, there could be even more trouble ahead for the company.

You can find out more about this latest data breach of hacked Facebook accounts here.

And if you want to ensure that your company is GDPR compliant, make us of our GDPR Gap Analysis to make sure that you avoid heavy fines.