GDPR privacy can be defeated using right of access requests
A British researcher has uncovered an ironic security hole in the EU’s General Data Protection Regulation (GDPR) – right of access requests.
Right of access, also called subject access, is the part of the GDPR regulation that allows individuals to ask organisations for a copy of any data held on them.
This makes sense because, as with any user privacy system, there must be a legally enforceable mechanism which allows people to check the accuracy and quantity of personal data.
Unfortunately, in what can charitably be described as a massive GDPR teething problem, Oxford University PhD student James Pavur has discovered that too many companies are handing out personal data when asked, without checking who’s asking for it.