General Data Protection Regulation (GDPR) became law in the UK exactly one year ago and this article reports on personal observations over a 12-month period. One thing that is clear, is that GDPR has created greater awareness of best practices for handling personal data. This is precipitated by the fear of financial penalties of up to 4% of annual turnover or 20,000,000 Euros, whichever is higher. During this time a significant number of complaints have been made to data protection authorities requesting investigations and some have resulted in financial penalties.
More information is available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
For UK readers also visit the website of the UK’s Information Commissioner’s Office:
- For organisations: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
- For individuals: https://ico.org.uk/your-data-matters/
I have received many privacy notifications from companies stating that they hold and process personal data. Roughly 50% of these notifications were received from businesses with which I had no prior contact or to which I have not given consent to process data.
- Requests for data removal have resulted in requests for more personal data to confirm identity.
- Two businesses wanted a scan of my passport or driving licence before they would remove the data.
- Some email notifications indicated that removal of personal data required recipients to logon and change their data settings.
Observations suggest that:
- The way in which some businesses have chosen to implement GDPR, people are forced to jump through hoops to have their data removed
- GDPR related emails can easily be used for phishing. With everyone expecting such emails in response to the introduction of GDPR, many requests for removal could already have resulted in more personal details than before being processed inappropriately
Date of Birth
Use of Date of Birth as a security question has increased. I’ve said many times that immutable facts cannot be used for any meaningful security, but the important point here is that over the last 12 months companies have asked for my Date of Birth for security when in fact I would never have had a legitimate reason to give it to them in the first place.
It became obvious that Dates of Birth were being requested for the purpose of populating a previously blank field in their database. This was put to the test in the following two ways:
- I gave a bogus date of birth which was accepted as correct for security
- I told them they would have nothing to compare it against because there was no legitimate need for them to know. This was followed by a pause while the operator checked with their manager, and then an alternative security question was asked
The legitimacy of these businesses is not being considered as we are not talking about potentially fraudulent businesses that nobody has ever heard of, we are talking about national brands. Unless people are mindful of whom they gave their date of birth to, it is reasonable to assume that when asked for confirmation, they would be willing to give it.
Personalised Junk Mail
The quantity of personalised mail has reduced quite significantly, but the quantity of non-personal mail has increased significantly during the same period. The increase is split between:
- Letters addressed to ‘owner/occupier’ without any named individual – suggests that where businesses have a refined customer list but no consent to hold personal data, that only the names have been removed so that physical addresses can still be targeted
- Mail without any name or address – suggesting that some businesses have chosen to use leaflets rather than mail, and which are delivered in bulk
More information on how to stop receiving junk mail in the UK can be found here: https://www.citizensadvice.org.uk/consumer/post/stop-getting-junk-mail/
Public Data Feeds
Publicly available data sources are still available free of charge, or with nominal payment, from government departments and local authorities. Consequently 2nd level websites and services which use publicly available data still have access to all the data, and make it available to everyone free of charge or for a fee.
Requests to remove this data are still met with resistance, and requests for significantly more personal information before action will be taken. The removal is only effective until a replacement data feed to processed. No evidence is available to indicate that a separate block list has been implemented to ensure that removal requests are permanently applied.
This information is more than sufficient for fraud to take place, yet to my knowledge nobody has ever consented to this information being made available publicly by authorities or given consent to 3rd party organisations to process this data and sell it online. This is simply not covered by ‘Consent’ but is covered under ‘Legitimate Interest’ in GDPR.
A data broker is considered to have a legitimate interest in this data because their source of income is from the sale of your data. Although data privacy advocates would like nothing more than to see some of these businesses cease to exist, and this has come up in conversation many times over the last 12 months, this is unlikely to happen any time soon because the businesses are highly profitable. Put simply, their business purpose is to profit from your data, so they have a ‘Legitimate Interest’ in processing it. This is potentially a court case waiting to happen in the future to define the boundary with case law.
Increased User Accounts
More and more websites insist that online accounts are required to make purchases. There are many business reasons for choosing to make user accounts mandatory, and an increase over the previous 12 months could be a coincidence. However, a user account does address the issue of maintaining data accuracy as a user account will essentially transfer responsibility for data accuracy to the user, who can logon and edit their own personal data. Also, over the last 12 months, I have observed a number of accounts being created without my consent, along with emails inviting me to verify details.
There are long term security implications which need to be considered:
- People can easily lose track of user accounts over time, especially if at the time of placing an order they were required to create an account despite knowing it would likely be a one-time purchase. Equally an issue is if security questions are used based on historical facts.
- Many websites still send passwords by email in plain text when forgotten password options are used. However, sites are increasing switching to a more secure password reset process.
- Credit Card details could be stored and available in the accounts to which people no longer have access
- Re-use of logon credentials and security questions between sites increases the risk of more important sites begin compromised
Not everyone maintains an inventory of user accounts, in fact it is more likely that very few people do. More user accounts mean more opportunities for user accounts to be hacked. Many sites have chosen to add the option to authenticate with Facebook or Google accounts, however if either of those are compromised, all connected accounts will also be compromised.
Increased cookie popups
Consent to store cookies has been implemented in many different ways from a visible page on the website, to popups demanding users click on a button to access cookies.
- Website platforms such as Word Press have implemented it as standard so that anyone with a website powered by Word Press will get the functionality automatically
- Many popups have been implemented in an intrusive way which disrupts the user experience on the website such as fading out the content of the page, requiring ‘accept’ to be selected before the page can be read, not allowing the ‘accept’ button to be clicked until the entire page has downloaded and not providing an option to ‘decline’
- Many sites don’t have a ‘decline’ option’. Although cookies are often needed in many cases for the functioning of the website, such as for the duration of the session or for security, these reasons are excluded from the regulations. A decision has essentially been made that you either ‘allow’ or ‘leave’. Consequently, the problem is that people will ‘allow’ as an automatic response which in the long-term will render the concept useless. Rather like the millions of people who tick a box to say they accept terms and conditions, but never actually open and read them.
More information is available at:
- European Commission https://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm
- UK Privacy and Electronic Communications Regulations (PECR) https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/
Security consultant with over 20 years experience gained across a diverse range of industry sectors including insurance and banking. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis and access management.