GDPR's unintended consequences (The Register)

  • Thread starter anorlunda
  • Start date
In summary, the conversation discusses the implications of GDPR and similar privacy legislation. It is highlighted that while the law aims to protect personal data, it has made it easier for identity thieves to obtain sensitive information. This is due to the fact that companies are not required to verify the identity of those requesting personal data. This has resulted in a significant number of companies providing personal data to individuals who may not be who they claim to be. Furthermore, the conversation also acknowledges the challenges that this poses for security solutions that use personal data to protect individuals. Ultimately, it is stated that both cybercriminals and security practitioners will have to adapt and keep up with the constantly evolving technology in order to stay ahead in the "arms race" of data protection.
  • #1
anorlunda
Staff Emeritus
Insights Author
11,308
8,737
TL;DR Summary
GDPR's unintended consequences
I would like to share this because GDPR has been discussed before on PF.

Some parties, like my bank, use multi-factor identification to assure I am who I say I am when I request personal data. But many third parties who are required to respond to GDPR requests will not have the data needed to support multi-factor identification.

Rejecting all requests is illegal. Allowing all requests (see below) is harmful to the public and probably leave the info provider liable to lawsuits. What are they supposed to do? Who are they supposed to ask what they are supposed to do?
The Risks List [URL]http://catless.ncl.ac.uk/Risks/31/36#subj5[/URL] said:
Steven Klein <steven@klein.us>Fri, 9 Aug 2019 13:33:14 -0400GDPR, the EU's General Data Protection Regulation, is supposed to protect
personal data and user privacy for EU cititzens. But it has made it life
much easier for identity thieves. The law obligates companies to provide a
copy of any personal data they have, but doesn't require companies to verify
the identity of those requesting the info.

“James Paver, a PhD student at Oxford University who usually specialises in
satellite hacking, explained how he was able to game the GDPR system to get
all kinds of useful information on his fiancée [with her permission],
including credit card and social security numbers, passwords, and even her
mother's maiden name. [...] Over the space of two months Pavur sent out 150
GDPR requests in his fiancée's name, asking for all and any data on her. In
all, 72 per cent of companies replied back, and 83 companies said that they
had information on her. ... Of the responses, 24 per cent simply accepted
an email address and phone number as proof of identity and sent over any
files they had on his fiancée.''

“A threat-intelligence company sent over a list of her email addresses and
passwords which had already been compromised in attacks. Several of these
still worked on some accounts.''

Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>
 
  • Like
Likes aaroman and Wrichik Basu
Computer science news on Phys.org
  • #2
GDPR and similar legislation designed to protect people's privacy will have negative implications for security solutions that use the same data to protect people. Both cybercriminals and security practitioners will both have to adapt as they always have. With such complex technology that changes so quickly, it's an arms race.
 

FAQ: GDPR's unintended consequences (The Register)

1. What are some examples of unintended consequences of the GDPR?

Some examples include businesses being forced to shut down due to the high cost of compliance, smaller companies struggling to keep up with the regulations, and an increase in cyber attacks due to the limited collection and storage of personal data.

2. How has the GDPR affected the digital economy?

The GDPR has had a significant impact on the digital economy, resulting in reduced competition and innovation, as well as a decrease in the availability of free online services. It has also made it more difficult for businesses to collect and use data for targeted advertising and marketing purposes.

3. What are the potential consequences for non-compliance with the GDPR?

Non-compliance with the GDPR can result in hefty fines of up to €20 million or 4% of a company's global annual revenue, whichever is higher. This can have a significant financial impact on businesses, especially smaller ones.

4. How has the GDPR affected data protection for individuals?

The GDPR has strengthened data protection for individuals by giving them more control over their personal data. This includes the right to access, correct, and delete their data, as well as the right to be informed about any data breaches that may affect them.

5. Has the GDPR achieved its intended goals?

It is still too early to tell if the GDPR has achieved its intended goals. While it has made significant strides in protecting individuals' data and increasing transparency, it has also had some unintended consequences, as mentioned above. The effectiveness of the GDPR will likely continue to be evaluated and adjusted as needed in the coming years.

Similar threads

Replies
0
Views
96K
Replies
16
Views
3K
Replies
13
Views
3K
Replies
65
Views
9K
Replies
2
Views
2K
Replies
11
Views
26K
Back
Top