[tialaramex]

It isn't really a new attack surface because GDPR is only a refinement of previous rules. Companies inside the EU already were subject to previous iterations of this "Ask permission, don't keep stuff you don't need, tell subjects what you know, fix mistakes on request" model.

Back when I first worked for a start up, Richmond Informatics (subsequently Garlik, which was then bought by Experian) it began by doing subject data access requests for key personnel just to see what was out there. That's well over a decade ago.

And yes, they have a responsibility to ensure they only give the actual subject the data, which is tricky but if it's too hard then probably "don't keep any data" was the correct answer. "Thank you for your letter. We do not keep any data whatsoever about our users". Done.

At Experian the main theme of the training in this area was "Do not try to help, don't respond in any way except to forward everything to the special department that handles these requests".