General Data Protection Regulation (GDPR) became law in the UK exactly one year ago, and this article reports on personal observations over 12 months. GDPR has created greater awareness of best practices for handling personal data because of the fear of financial penalties of up to 4% of annual turnover or 20,000,000 Euros, whichever is higher. During this time, a significant number of complaints have been made to data protection authorities requesting investigations and some have resulted in financial penalties.
More information is available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
For UK readers also visit the website of the UK’s Information Commissioner’s Office:
- For organisations: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
- For individuals: https://ico.org.uk/your-data-matters/
I have received many privacy notifications from companies stating that they hold and process personal data. Roughly 50% of these notifications were from businesses with which I had no prior contact or to which I have not given consent to process data.
- Requests for data removal have resulted in a need to provide for more personal data to confirm my identity
- Two businesses wanted a scan of my passport or driving licence before they would remove the data
- Some email notifications indicated that removal of personal data required recipients to login and change their data settings
Observations suggest that:
- How some businesses have chosen to implement GDPR forces people to jump through hoops to have their data removed
- Hackers can easily use GDPR related emails for phishing. With everyone expecting such emails in response to the introduction of GDPR, many removal requests could already have resulted in more personal details than before being processed inappropriately.
Date of Birth
Use of Date of Birth as a security question has increased. I’ve said many times that people should not use immutable facts for security. Still, the point here is that over the last 12 months companies have asked for my date of birth when in fact I would never have had a legitimate reason to give it to them in the first place.
It became evident that companies are requesting Dates of Birth for security, but the real purpose is to populate a previously blank field in their database. I put this to the test in the following two ways:
- I gave a bogus date of birth. The company accepted it as correct for security
- I told them they would have nothing to compare it against because there was no legitimate need for them to know. Following a pause, the operator checked with their manager and asked an alternative security question.
The legitimacy of these businesses is not in question, as we are not talking about potentially fraudulent companies that nobody has ever heard of; we are talking about national brands. Unless people are mindful of to whom they gave their date of birth to, it is reasonable to assume that when asked for confirmation, they would be willing to give it.
Personalised Junk Mail
The quantity of personalised mail has reduced quite significantly, but the amount of non-personal mail has increased substantially during the same period. The increase is roughly 50/50 between:
- Letters addressed to ‘owner/occupier’ without any named individual – suggests that where businesses have a refined customer list but no consent to hold personal data, they remove the names and keep targeting the addresses.
- Unaddressed mail – suggesting many businesses have chosen to deliver leaflets
More information is available here to learn how to stop receiving junk mail: https://www.citizensadvice.org.uk/consumer/post/stop-getting-junk-mail/
Public Data Feeds
Publicly available data sources are still available free of charge, or with nominal payment, from government departments and local authorities. Consequently, 2nd level websites and services which use publicly available data still have access to all the data, and make it available to everyone free of charge or for a fee.
Requests to remove data still result in resistance and a need to jump through hoops, including significantly more personal information before taking action. The removal is only effective until a replacement data feed to processed. No evidence is available to indicate that a separate list is available to ensure that removal requests are permanently applied.
This information is more than sufficient for fraud to take place. Yet, to my knowledge, nobody has ever consented to this information being made available publicly by authorities or given consent to 3rd party organisations to process this data and sell it online. Such businesses can, however, claim a ‘Legitimate Interest’ under GDPR.
A data broker can claim to have a legitimate interest because their source of income is from the sale of your data. Although data privacy advocates would like nothing more than to see some of these businesses cease to exist, and this has come up in conversation many times over the last 12 months, this is unlikely to happen any time soon because the businesses are highly profitable. Their business purpose is to profit from your data, so they have a ‘Legitimate Interest’ in processing it; potentially a court case waiting to happen in the future to define the boundary with case law.
Increased User Accounts
More and more websites insist that online accounts are required to make purchases. There are many business reasons for mandatory user accounts, and an increase over the previous 12 months could be a coincidence. However, a user account does address the issue of maintaining data accuracy as a user account will essentially transfer responsibility for data accuracy to the user, who can log in and edit their data. Also, over the last 12 months, I have observed several accounts created without my consent, along with emails inviting me to verify details.
There are long term security implications to consider:
- People can quickly lose track of user accounts over time, if at the time of placing an order, creating an account was mandatory despite knowing it would likely be a one-time purchase. Equally, an issue is if security questions are used based on historical facts.
- Many websites still send passwords by email in plain text in response to forgotten password options. However, sites are increasingly switching to a more secure reset process.
- Sites could store credit card details in the accounts to which people no longer have access
- Re-use of logon credentials and security questions between sites increases the risk of more important sites begin compromised
Not everyone maintains an inventory of user accounts; in fact, it is more likely that very few people do. More user accounts mean more opportunities for hacking user accounts. Many sites authenticate with Facebook or Google; however, if either these are compromised, all connected accounts are also compromised.
Increased cookie popups
Consent to store cookies has been implemented in many different ways from a visible page on the website, to popups demanding users click on a button to access cookies.
- Website platforms such as Word Press have implemented it as standard so that anyone with a website powered by Word Press will get the functionality automatically
- Website developers have implemented intrusive popups which disrupts the user experience on the site such as fading out the content of the page, requiring ‘accept’ to be selected before the visitor can read the page. Not allowing selection of the ‘accept’ button until the entire page has downloaded and not providing an option to ‘decline’.
- Many sites don’t have a ‘decline’ option’. Although websites often need cookies for the duration of the session or security, these reasons are no in the regulations. Website developers choice to have either ‘allow’ or ‘leave’ creates a new problem. People will ‘allow’ as an automatic response which in the long-term will render the concept useless. Rather like the millions of people who tick a box to say they accept terms and conditions, but never actually open and read them.
More information is available at:
- European Commission https://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
- UK Privacy and Electronic Communications Regulations (PECR) https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.