12 Months of GDPR

General Data Protection Regulation (GDPR) became law in the UK exactly one year ago, and this article reports on personal observations over 12 months. GDPR has created greater awareness of best practices for handling personal data because of the fear of financial penalties of up to 4% of annual turnover or 20,000,000 Euros, whichever is higher. During this time, a significant number of complaints have been made to data protection authorities requesting investigations and some have resulted in financial penalties.

More information is available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

For UK readers also visit the website of the UK’s Information Commissioner’s Office:

Email Notifications

I have received many privacy notifications from companies stating that they hold and process personal data. Roughly 50% of these notifications were from businesses with which I had no prior contact or to which I have not given consent to process data.

  • Requests for data removal have resulted in a need to provide for more personal data to confirm my identity
  • Two businesses wanted a scan of my passport or driving licence before they would remove the data
  • Some email notifications indicated that removal of personal data required recipients to login and change their data settings

Observations suggest that:

  • How some businesses have chosen to implement GDPR forces people to jump through hoops to have their data removed
  • Hackers can easily use GDPR related emails for phishing. With everyone expecting such emails in response to the introduction of GDPR, many removal requests could already have resulted in more personal details than before being processed inappropriately.

Date of Birth

Use of Date of Birth as a security question has increased. I’ve said many times that people should not use immutable facts for security. Still, the point here is that over the last 12 months companies have asked for my date of birth when in fact I would never have had a legitimate reason to give it to them in the first place.

It became evident that companies are requesting Dates of Birth for security, but the real purpose is to populate a previously blank field in their database. I put this to the test in the following two ways:

  • I gave a bogus date of birth. The company accepted it as correct for security
  • I told them they would have nothing to compare it against because there was no legitimate need for them to know. Following a pause, the operator checked with their manager and asked an alternative security question.

The legitimacy of these businesses is not in question, as we are not talking about potentially fraudulent companies that nobody has ever heard of; we are talking about national brands. Unless people are mindful of to whom they gave their date of birth to, it is reasonable to assume that when asked for confirmation, they would be willing to give it.

Personalised Junk Mail

The quantity of personalised mail has reduced quite significantly, but the amount of non-personal mail has increased substantially during the same period. The increase is roughly 50/50 between:

  • Letters addressed to ‘owner/occupier’ without any named individual – suggests that where businesses have a refined customer list but no consent to hold personal data, they remove the names and keep targeting the addresses.
  • Unaddressed mail – suggesting many businesses have chosen to deliver leaflets

More information is available here to learn how to stop receiving junk mail:  https://www.citizensadvice.org.uk/consumer/post/stop-getting-junk-mail/

Public Data Feeds

Publicly available data sources are still available free of charge, or with nominal payment, from government departments and local authorities. Consequently, 2nd level websites and services which use publicly available data still have access to all the data, and make it available to everyone free of charge or for a fee.

Requests to remove data still result in resistance and a need to jump through hoops, including significantly more personal information before taking action. The removal is only effective until a replacement data feed to processed. No evidence is available to indicate that a separate list is available to ensure that removal requests are permanently applied.

This information is more than sufficient for fraud to take place. Yet, to my knowledge, nobody has ever consented to this information being made available publicly by authorities or given consent to 3rd party organisations to process this data and sell it online. Such businesses can, however, claim a ‘Legitimate Interest’ under GDPR.

A data broker can claim to have a legitimate interest because their source of income is from the sale of your data. Although data privacy advocates would like nothing more than to see some of these businesses cease to exist, and this has come up in conversation many times over the last 12 months, this is unlikely to happen any time soon because the businesses are highly profitable. Their business purpose is to profit from your data, so they have a ‘Legitimate Interest’ in processing it; potentially a court case waiting to happen in the future to define the boundary with case law.

Increased User Accounts

More and more websites insist that online accounts are required to make purchases. There are many business reasons for mandatory user accounts, and an increase over the previous 12 months could be a coincidence. However, a user account does address the issue of maintaining data accuracy as a user account will essentially transfer responsibility for data accuracy to the user, who can log in and edit their data. Also, over the last 12 months, I have observed several accounts created without my consent, along with emails inviting me to verify details.

There are long term security implications to consider:

  • People can quickly lose track of user accounts over time, if at the time of placing an order, creating an account was mandatory despite knowing it would likely be a one-time purchase. Equally, an issue is if security questions are used based on historical facts.
  • Many websites still send passwords by email in plain text in response to forgotten password options. However, sites are increasingly switching to a more secure reset process.
  • Sites could store credit card details in the accounts to which people no longer have access
  • Re-use of logon credentials and security questions between sites increases the risk of more important sites begin compromised

Not everyone maintains an inventory of user accounts; in fact, it is more likely that very few people do. More user accounts mean more opportunities for hacking user accounts. Many sites authenticate with Facebook or Google; however, if either these are compromised, all connected accounts are also compromised.

Increased cookie popups

Consent to store cookies has been implemented in many different ways from a visible page on the website, to popups demanding users click on a button to access cookies.

  • Website platforms such as Word Press have implemented it as standard so that anyone with a website powered by Word Press will get the functionality automatically
  • Website developers have implemented intrusive popups which disrupts the user experience on the site such as fading out the content of the page, requiring ‘accept’ to be selected before the visitor can read the page. Not allowing selection of the ‘accept’ button until the entire page has downloaded and not providing an option to ‘decline’.
  • Many sites don’t have a ‘decline’ option’. Although websites often need cookies for the duration of the session or security, these reasons are no in the regulations. Website developers choice to have either ‘allow’ or ‘leave’ creates a new problem. People will ‘allow’ as an automatic response which in the long-term will render the concept useless. Rather like the millions of people who tick a box to say they accept terms and conditions, but never actually open and read them.

More information is available at:

Choosing Suppliers Online

Protecting personal information is a serious concern for everyone. When choosing suppliers online for whatever purpose, it will be necessary to share some info to avail yourself of the services. It is your responsibility to determine who you trust with your personal information.

  • Does the business have an established brand and reputation to protect? Although we often hear about big names involved in large scale data breaches, it is reasonable to say that a business with a lot to lose will make more effort to protect your data than those are here today and gone tomorrow.
  • How did you arrive at the website? If it was in response an advert, did it create a sense of urgency such as offering something at a discount that is only available today? There is always a reason why someone wants you to make a decision quickly. Businesses wishing to establish themselves in the marketplace will be happy for you to make your own decision in your own time.
  • Has this business been involved in security incidents and loss of data? Information is often available about such events on the Internet and easy to find with search engines.
  • How secure is the website? Does the site use HTTP or HTTPS in its website address? Other factors, such as how password reminders work. If your password is sent to you as plain text by email, it demonstrates how they feel about your security.
  • Does the website have a privacy policy and information about the use of cookies?
  • Does the website clearly show how to contact the business, the registered address, trading address, contact telephone numbers and contact email addresses?
  • How much information does the site ask for while signing up? I have observed a significant increase in websites demanding more information than is needed. Please stop and think about why they need such information and be ready to walk away. National Insurance numbers, for example, are required only when dealing with HMRC and employment-related matters, so no other business has any legitimate purpose in requesting such information.

Being suspicious can be a healthy attitude to take. Avoid impulse-buying scenarios. Ask yourself, if you didn’t know you needed ‘this’ yesterday, do you need it right now? It won’t hurt to take your time, speak to other peoples, think about it more, sleep on it, and make a decision later.

Last year I wrote an article called ‘The Website Credibility Test’ which contains more information relating to this article.