GDPR used to gain access to fiancée’s personal data: Exposing vulnerabilities in Data Subject Access Requests

  • A recent test DSAR has demonstrated companies’ differing approaches to DSAR compliance
  • Despite the DSAR being made by a third party on behalf of the data subject, it is clear companies are uncertain regarding when or how they should ask for ID verification
  • ICO guidance urges data controllers to be satisfied that any third party making a DSAR is entitled to act on behalf of the individual data subject

Background

Article 15 of the GDPR gives data subjects the right to obtain a copy of their personal data held by data controllers who process their personal data.  Over the course of the past year, we’ve seen increasingly innovative uses of this right, as demonstrated recently by James Pavur, a researcher at the University of Oxford. Continue reading

Cookie Update: The ICO way

Following on from the ICO’s recent admission around its cookie consent mechanism (for further details see our previous post here), the ICO website was down for a period of time at the end of last week. But now it is back and with a new and “improved” cookie consent mechanism (see here).

Continue reading