I'm not sure why everybody here seems to think that sites need to fork over all date they have on store via e-mail if a registered user requests it via e-mail.
A site could easily be compliant by answering general questions (this is what kind of data we have, this is how we collect it, this is what we need it for, this is our legal basis) via e-mail but requiring data exports to be performed via the site itself.
The GDPR actually encourages sites to provide automated self-serve data export mechanisms. The entire point of being able to request a copy of your data is data portability.
"But what if the user never signed up?", I hear some people ask. Why did you collect their data in the first place? If you collect sensitive data like that described in the BBC article, you better have explicit consent and if you have explicit verifiable consent, you should be able to verify a request is made using the same identity that granted the consent (be it an e-mail, a phone call or a signature). So just ask for that again.
Also, if you can't easily comply with a data request because the data is so sensitive and the identity can't easily be verified, you can still explicitly say so. Describe the kind of data you have and offer to delete it, then offer whatever form of authentication is adequate given the level of sensitivity of the data in question should they still demand it.
I'm not sure why some people seem to think this is particularly unreasonable. Just because it isn't code, doesn't mean you have to reinvent authentication from scratch. Think of how you identify someone before you agree to store their data. You already do that for all other business processes, why should data requests be any different?
EDIT: Also if you figure you can't easily verify someone's identity after you took their data, that sounds like a good reason not to take their data in the first place. And that's the entire point of the GDPR: minimising personal data. The GDPR makes personal data toxic and that's intentional. Just like toxic substances you need special precautions for handling and storing it, and you probably want to avoid both unless absolutely necessary.
A site could easily be compliant by answering general questions (this is what kind of data we have, this is how we collect it, this is what we need it for, this is our legal basis) via e-mail but requiring data exports to be performed via the site itself.
The GDPR actually encourages sites to provide automated self-serve data export mechanisms. The entire point of being able to request a copy of your data is data portability.
"But what if the user never signed up?", I hear some people ask. Why did you collect their data in the first place? If you collect sensitive data like that described in the BBC article, you better have explicit consent and if you have explicit verifiable consent, you should be able to verify a request is made using the same identity that granted the consent (be it an e-mail, a phone call or a signature). So just ask for that again.
Also, if you can't easily comply with a data request because the data is so sensitive and the identity can't easily be verified, you can still explicitly say so. Describe the kind of data you have and offer to delete it, then offer whatever form of authentication is adequate given the level of sensitivity of the data in question should they still demand it.
I'm not sure why some people seem to think this is particularly unreasonable. Just because it isn't code, doesn't mean you have to reinvent authentication from scratch. Think of how you identify someone before you agree to store their data. You already do that for all other business processes, why should data requests be any different?
EDIT: Also if you figure you can't easily verify someone's identity after you took their data, that sounds like a good reason not to take their data in the first place. And that's the entire point of the GDPR: minimising personal data. The GDPR makes personal data toxic and that's intentional. Just like toxic substances you need special precautions for handling and storing it, and you probably want to avoid both unless absolutely necessary.