Personal data perceptions are evolving
| Are consumers more aware of the value of their data?
Is society as naïve about personal data as it was pre-GDPR? Or have successive data breaches and privacy violations by big tech companies made us all wake up and smell the coffee?
Since the EU’s General Data Protection Regulation came into effect in May 2018, there has been a noticeable mindset change in how people regard the security and use of their personal information.
The Facebook / Cambridge Analytica scandal put the spotlight on the reputational damage that businesses face, when they pursue the monetization of our data. Google’s recent €50 million financial penalty was imposed by the Information Commissioner’s Office (ICO), for failing to be transparent in how it collected people’s data to target them with personalised ads.
A number of high-profile data breaches has also highlighted that no company, however trusted with personal data, is impervious to cyberattacks. And as we move deeper into 2019, consumers are becoming more wary, as they gain better understanding, not only of the value of their personal information, but also their rights regarding what data is being collected without their consent.
But, probably one of the biggest effects that the GDPR has made on businesses, is that companies appear to be putting more thought into what personal data they collect, store and process, as well the general management of that data. ‘Data Controllers’ now must show evidence that they are protecting and managing people’s personal data properly and in accordance with the GDPR.
The Marriott hack of 2018 is a good example of excessive amounts of data being collected and retained, without a ‘legitimate interest’ nor any other clear reason. No justification was found for the collection of the data, and no safeguards were in place to protect it. The mismanagement of this data was only exposed when the breach was identified and reported.
Matthew Aldridge, Senior Solutions Architect at Webroot explains that, consumer data is too easily sold from one company to the next without the customer’s knowledge. When a company (such as Equifax in 2017) is hacked, it can impact people who are unaware where their data is stored. This business model may be profitable in the short term but can lead to issues further down the line. This is why regulations such GDPR are essential.
However, as businesses are forced to control their data much more tightly, they can appear to be fully compliant whilst still not fully addressing security risks. Regulation can only go so far – if businesses focus on best practices for cybersecurity, data protection and combine this with compliance they will be giving themselves the best chance of business success, whilst protecting their customers and their data.
When personal data gets into the wrong hands
Following a successful cyberattack, username and password combinations regularly end up for sale on the dark web. Recently, 620 million accounts stolen from 16 high profile breaches (including MyFitnessPal) which occurred in 2018 showed up for sale on the dark web.
Nefarious individuals can purchase personal data for as little as $3 and utilise this information to gain network access to an organisation to deliver malicious payload or perform cyber espionage. This perpetuating cycle tends to amplify successful attacks, with effects that reverberate for months or years.
A new perspective
Businesses need to recognise that the events of 2018 have shaped attitudes towards data protection and a comprehensive approach is needed to keep data safe. Rather than view data protection as a box-ticking exercise, it should be a key priority and integrated into every aspect of the business to ensure comprehensive coverage and consistency.
To maintain trust and protect reputations, a multi-layered security strategy is needed, which also incorporates transparency. Customers should be aware of how, where and why their data is being used. This year, the recurring theme of data protection should represent both a reminder and opportunity for businesses to ensure that their processes stand up to scrutiny.
In addition, they should strive to have an open dialogue with their customers to educate them on how their data is being used and ultimately protected. A continuous commitment to this approach will go far in maintaining trust and bolstering reputation, even if an incident occurs.
Sources and credits: Webroot