GDPR used to gain access to fiancée’s personal data: Exposing vulnerabilities in Data Subject Access Requests

  • A recent test DSAR has demonstrated companies’ differing approaches to DSAR compliance
  • Despite the DSAR being made by a third party on behalf of the data subject, it is clear companies are uncertain regarding when or how they should ask for ID verification
  • ICO guidance urges data controllers to be satisfied that any third party making a DSAR is entitled to act on behalf of the individual data subject

Background

Article 15 of the GDPR gives data subjects the right to obtain a copy of their personal data held by data controllers who process their personal data.  Over the course of the past year, we’ve seen increasingly innovative uses of this right, as demonstrated recently by James Pavur, a researcher at the University of Oxford. Continue reading

Compliant or not: the GDPR is here

The GDPR came into force on 25 May 2018 and brought with it additional rights for individuals and additional obligations for organisations. It also extends its reach beyond European borders and applies not just to companies within the EEA but also to some organisations outside the EEA.

With the legislation now in force, all eyes will turn towards the regulators to see how this piece of legislation will be enforced. We have already heard from the Information Commissioner in the UK that high fines can and will be levied on those that persistently, deliberately or negligently flout the law. And the ICO’s specified areas of focus are reportedly cyber security, artificial intelligence and device tracking. How this will all play out in practice remains to be seen.

For those organisations still on the compliance journey, there is a wealth of information to assist. We have published a GDPR hub, accessible here, which includes a series of briefings and webinars that take a deeper dive into some of the key considerations in any compliance programme. Copies of the briefings are accessible by clicking on the links below:

  1. The GDPR: the “whole of business” issue at the top of your board agenda
  2. The rise of the intelligent business: spotlight on employers
  3. Extending the long arm of the law: Extra-territoriality and the GDPR
  4. Data use – protecting a critical resource
  5. Supply Chain Arrangements: The ABC to GDPR Compliance

Continue reading