Online Privacy Rules can be Gamed - So Require Credentials
Because online privacy rules in the EU require disclosure of data, firms should require credentials before releasing personal information.
With the introduction of Europe's General Data Protection Regulation, firms in Europe and around the globe should be aware that social engineering tactics can be used to acquire an individual’s sensitive data.
“…For social engineering purposes, GDPR has a number of real benefits, Pavur said. Firstly, companies only have a month to reply to requests and face fines of up to 4 percent of revenues if they don't comply, so [the] fear of failure and time are strong motivating factors.
In addition, the type of people who handle GDPR requests [is] usually admin or legal staff, not security people used to social engineering tactics. This makes information gathering much easier….” See this article
Direct email marketing, for example, is already regulated under the EU's e-Privacy Directive. Such rules require consent before someone can be sent direct marketing. A so-called "soft opt-in" makes this slightly easier. If a firm has an existing relationship, for instance, if a customer has bought a product from them before, they may still contact that recipient. The European Union is updating the rules on electronic communications just as the UK is hustling to engage its own Data Protection Act in place, considering how Brexit will affect tech firms. The continued flow of data between the UK and the rest of Europe (and the world) depends on governments’ ability to interact.