Issues surrounding the General Data Protection Regulations (GDPR) have been hot topics for some time, and many have said that 2018 will be all about GDPR and very little of anything else. A key question here is to what extent does the implementation of GDPR have the potential to reduce the overall level of security for individuals and their data.
With the right to access and to rectify personal data, a growing number of companies will choose to solve this problem by providing online access to their data. This approach takes responsibility for the accuracy of data away from companies and places it firmly in the hands of individuals.
- Companies will need to organise their data to correlate all data for a single individual across multiple systems to provide a single view of data. Having data collated in such a way has the potential to make it easier for someone to gain unlawful access to customer data. Although the data may be physically distributed across the globe, to access all data, it still needs to be virtually in one place.
- Providing online access to customer data will require login credentials. Multiplying this by the number of companies making customer data available online could quite drastically increase the number of passwords people need to manage. The risk and attack surface area increases with every registered online account.
- If businesses offer the right to erase all personal data online, individuals could easily find themselves registering to carry out the erasure. However, it is acceptable under GDPR to email a business asking them to delete all data, and for them to delete the data without forcing people to jump through hoops.
- Companies that don’t currently provide an online account for their services, such as for making a simple online purchase, will be able to use GDPR as a justification for everyone to register at the time of purchase and require an account. Again, the number of login credentials needed will increase further.
- Providing the online means to export all data to comply with data portability will make life much easier for hackers wishing to steal data if accounts are compromised. Access will be to the same data provided online, except instead of needing to stay logged in and possibly make screenshots or screen scrape data, they can use a download option.
- In the recruitment sector, it is common for individuals to have their data with 100s if not 1000s of individual recruitment businesses. As individual recruiters move from company to company, the data often goes with them, so the number of recruitment firms holding personal information is in practice much higher. Many job seekers could find themselves needing to manage many online accounts to the point of it being unmanageable.
The more online accounts people need to have, the less secure the situation becomes. There is a saturation point where people will shut off and become more complacent with security. If people do attempt to have different login credentials for various systems, there is likely to be a point where such good intentions break down. They become bored with managing their accounts online and their security becomes compromised. It is similar to the argument that if a password is too complicated to remember, and a password vault not used, users will write down their passwords.
Everyone reading this blog will probably know at least one person who has a notebook in a drawer for all their passwords, and you may know precisely where it is just in case something happens. The number of online account requirements is increasing. GDPR is causing this number to grow faster, and the whole idea of online accounts and passwords will keep more people awake at night.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.