Issues surrounding the General Data Protection Regulations (GDPR) have been hot topics for some time and many have said that 2018 will be all about GDPR and very little of anything else. A key question here is to what extent does the implementation of GDPR have the potential to reduce the overall level of security for individuals and their personal data.
With a right to access and to rectify personal data, a growing number of companies will choose to solve this problem by providing online access to their data. This approach takes responsibility for the accuracy of data away from companies and places it firmly in the hands of individuals.
- Companies will need to organise their data in such a way that all data for a single individual will be correlated across multiple systems so that a single view may be provided. Having data collated in such a way has the potential to make it easier for someone to gain unlawful access to customer data. Although the data may be physically stored in a distributed way across the globe, to access all data it still needs to be virtually in one place.
- Providing online access to customer data will require logon credentials. Multiplying this by the number of companies making customer data available online could quite drastically increase the number of passwords people need to manage. The risk and attack surface area increases with every online account that needs to be registered.
- If the right to erase all personal data is offered using an online means, individuals could easily find themselves registering to carry out the erasure. It is however acceptable under GDPR for an individual to send an email asking for all data to be deleted, and for the instruction to be complied with.
- Companies that don’t currently provide an online account for their services, such as for making a simple online purchase, will be able to use GDPR as a justification for everyone to register at the time of purchase and require an account. Again, the number of logon credentials required will increase further.
- Providing the online means to export all data to comply with data portability will make life much easier for hackers wishing to steal data in the event that accounts are compromised. Access will be to the same data provided online, except instead of needing to stay logged in and possibly make screen shots or screen scrape data, all the data could be downloaded in one go.
- In the recruitment sector, it is common for individuals to have their personal data with 100s if not 1000s of individual recruitment businesses. As individual recruiters move from company to company, the data often goes with them, so the number of recruitment firms holding personal data is in practice much higher. Many jobseekers could find themselves needing to manage many online accounts to the point of it being unmanageable.
The more online accounts people need to have, the less secure the situation becomes. There is a saturation point where people will shut off and become more complacent with security. If people do attempt to have different logon credentials for different systems, there is likely to be a point where such good intentions break down. They become bored with managing their accounts online and their security becomes compromised. It is similar to the argument that if a password is too complicated to remember, and a password vault is not being used, it will most likely be written down.
Everyone reading this blog knows at least one person who has a notebook in a drawer for all their passwords, and you probably know exactly where it is just in case something happens. The number of online account requirements is increasing. GDPR will cause this number to increase faster, and the whole idea of online accounts and passwords will keep more people awake at night.
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.