January 28th marks the internationally recognised Data Privacy / Protection day. A day used to raise awareness of data protection rights and risks globally. The date is set around the original Council of Europe adoption in 1985 of “Convention 108” the first of it’s kind to “protect individuals against abuses which may accompany the collection and processing of personal data”.
2018 also now ranks as an important year in the data protection calendar as the year the EU “General Data Protection Regulation” (GDPR) came into force on May 25th. With just over 8months under it’s belt I thought it would be interesting to review some effects and events over 2018 and how GDPR has influenced some of these events.
Everyone’s mailboxes were flooded. From marketing mailing lists, to updated privacy policies people were bombarded from all sizes asking for continued consent to handling their personal data. The net result from end users: apathy, frustration and a little bewilderment. Some re-permission emails were even considered illegal as companies lacked the basic consent to email some users in the first place, breaking another already established regulation Privacy and Electronic Communications Regulations (PECR).
Big data breaches keep coming 2018 saw many high-profile attacks including:
- Dixons Carphone – June 2017 an estimated 10million customer details were accessed, including 5.9million cards, however without chip or verification information to be able to use the card data.
- British Airways – August – September 2018 – 380,000 records containing personal and financial information, but not travel or passport details.
- Facebook – September 2018 – 90 million Facebook user accounts exposed due to a vulnerability in its “view as” code.
- Marriot International – 8th September 2018 – 500 million guests records including 327 million including name, address, passport number and check in/out information dating from 2014, when the attack occurred.
These are just the popularised attacks in the media, Reddit, German Politicians, Quora, FIFA all suffered data breaches too over the past year and that doesn’t include the 772,904,991 email addresses and credentials found in the Collection #1 cache discovered by security researcher Troy Hunt of haveibeenpwned.com this January.
We learnt the scary side of large-scale data processing of course I am referring to the Cambridge Analytica scandal involving 87 million Facebook users (at least 1 million UK users) data enabling psychological profiles to be created for users and the data used to influence political campaigns including the US Presidential campaign and the Brexit vote in 2016.
This information was obtained using an app called “this is your digital life” which invited Facebook users to find out their personality using the quiz. What users may not have known was when they gave ‘consent’ to use the app that this would give the app access to their personal details, but also because of Facebook’s design, access to their social networks personal details. This data included their public profile, page likes, birthday, home city and reportedly some direct messages. The ICO fined Facebook £500,000 (the maximum under the old Data Protection Act 1998 when the breach occurred) in October 2018 for “failing to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data”
Similarly, the ICO issued one of it’s first GDPR enforcement notices against Canadian Data Analytics firm AggregateIQ for it’s role in processing personal data relating to UK political campaigning. The enforcement notice requests AIQ to stop processing EU citizens data for political campaigns, failure to comply could result in a fine under GDPR from 20 million Euro’s or 4% of global turnover.
So, what now for businesses?
For many businesses 2018 was dominated by GDPR, with many business owners now physically twitching when they hear the term, or actively avoiding it and changing the subject. Most businesses need to be commended on their compliance efforts with many businesses significantly re-developing (or developing) their data privacy policies and procedures.
With GDPR now implemented and enforced many business owners will be tempted to put data privacy to one side and focus on other important (and potentially delayed) works, but caution is needed and there are many reasons why data privacy still requires your attention:
- Many of GDPR’s principles have yet to be really defined and tested. Because GDPR is based on principles, rather than hard regulatory rules there has been a lot of debate around its many principles and their meanings and only time will tell how enforcement agencies and courts will also translate these principles. It’s worth keeping an eye on the news and other data privacy news sites for enforcement actions and challenges.
- Take a minute (or two) to review the rushed decisions of 2018. For most businesses despite 2 years to be ready for GDPR the rush came down to the deadline. Business owners and senior management teams were left with huge project plans and decisions to make to become compliant and most of these had to be taken quickly, so now’s a good time to review those decisions whilst they are fresh in mind and before they get costly.
- GDPR and Data Protection are not a one-time task. I know this sounds obvious but a lot of business owners want to treat GDPR and data protection as a task, rather than what it is: a continuous lifecycle. Personal data is processed daily, therefore protection efforts need to be made daily as well. In addition, privacy by design and default need to be embedded at the core of any business activity. This message still needs to be heard.
- The risks to personal data are always evolving. Just as protection mechanisms evolve to protect the risks are also continuously evolving as well and you need to be alert and have a good set of risk management and incident management processes in place to catch these risks before they damage your business. From an average of 40 new vulnerabilities in IT systems, to new social attacks daily businesses and consumers are under continuous attack.
- Brexit is coming, and this may impact your business if you trade with the EU. The ICO recently published advice for organisations if the UK leaves the EU without a deal. If you transfer data within the EU and EEA (European Economic Area) or handle EU citizens personal details then it is worth a review.
https://ico.org.uk/for-organisations/data-protection-and-brexit/
In Summary
GDPR has greatly strengthened, updated and harmonised data protection across the EU and the world. Companies like Facebook have decided to adopt the legislation worldwide and there is growing discussion in the US for a federal data protection bill. Within the UK compliance projects dominated boardrooms and projects alike. The result was a stream of emails flooding mailboxes and new banners appearing on websites to ensure users gave their consent to their data being processed. Never before have businesses been required to be so transparent in their processing activities with the stakes (and fines) now so much more enhanced. However, with data breaches occurring within businesses at an alarming rate and the potential use of big data analytics, the risks to data protection have also never been greater.
Comments are closed