Again, some serious flaw in the GDPR: Its reliance on, sponsorship for, pseudonymisation.
Which is worthless, already against break-ins.
And is worse, much worse, when you consider all the exemptions for ‘statistical use’ that are a cover for all the blatant abuse of personal data that the GDPR was originally intended to counter. And is worse, because six publicly available data points are all that is needed to identify anyone of the general public. De-anonymisation may be an art of sorts, but not a difficult one; easily demonstrated by any half-ass capable “hacker” consultant involved. [Of the Real kind]
Outside the controllers/processors conglomerates, such six points may have to be searched for – holdit; done. – but when anyone were to be able to infiltrate (why haven’t we heard of APTs for so long now? Because it was the TLAs, or is the overall picture waaayyy too scary to consider?), those six points are often found winthin one data set, if not with the IDs in some hardly-remote table.
And don’t come with the solution of homomorphic encryption, so usable for the statistical stuff. Also cracked, ever more systemically.
As if in today’s 21st century age, anyone would come forward with ‘these new developments, of motorised aeroplanes, with a “propellor” and all; they hold a promise for possible trans-atlantic flight!’ — Yet the GDPR isn’t different…