The 2018 EU GDPR legislation was implemented to protect individuals and the data that is held by local authority and commercial businesses in an attempt to prevent companies from misusing and selling data against our own will.  The new GDPR legislation really shook up the whole working industry and since it came into force, businesses and organizations have had to undertake a deep evaluation as to how their company data is stored, shared and protected.  This outcome has been a positive one and data is now treated with a far more respectful mindset than previously.

However, in a recent study by PhD student James Pavar from Oxford University, a loop hole has been found in terms of identity verification within the new GDPR legislation, he was able to falsely pose as his fiancé and accordingly obtain personal information under ‘Right of access’ also known as ‘subject access’ – a GDPR ruling which allows individuals to obtain data held on them.

Starting with just his fiancé’s name, email address and phone number which he was able to find online, Pravar contacted 75 UK and US companies by letter whereby he was successfully able to impersonate her.  Surprisingly without any identity verification checks by the companies, some responded by supplying her home address.  Armed with this information Pavar then sent out a further 75 letters and was able to receive additional details from previous home addresses to school grades and even credit card details.  At no point did Pravar use spoof email addresses or forge signatures according to an article by https://nakedsecurity.sophos.com –  GDPR privacy can be defeated using right of access requests

So what should be done to improve identity verification?

Clearly from Pravar’s research businesses are taking subject access requests seriously which is a good move.  The issue here though is how to appropriately administer such requests so that compliance with the new GDPR law is not compromised.  Additionally, this highlights the fact that fraudulent companies could easily request data but not for the right reasons.

In response, companies and organizations need to improve their approach by implementing a series of identity verification techniques so that individuals can prove who they say they are and not leave the companies in a vulnerable situation.  Ideas such as signing back in through an old account which is associated to them or providing photo ID as evidence would help to assess if individuals are authentic before any data is released by the business.

Is your organization fully compliant with the new GDPR legislation?  Are you concerned about identity verification?  As a company owner or manager, it is your legal obligation to ensure that GDPR is fully implemented.  For a confidential review of your company, please contact Crendon Insurance Ltd.  Through our GDPR insurance policy we are able to support companies who handle data and implement the correct tools to administer identity verification and ensure that they are GDPR compliant.

Blogs used to write this article: