Data subject access requests pose GDPR risk

Data subject access requests pose GDPR risk

gdpr - data subject access requestsData subject access requests are a key part of GDPR. By allowing users to request a copy of the data an organisation holds on them, they ensure transparency and give users the awareness and ability to protect their information.

However, an unexpected side-effect is that they are also posing a risk to users because organisations are not taking sufficient steps to check the legitimacy of such requests.

The issue was discovered by Oxford University PhD student James Pavur. Having sent 150 data subject access requests in his fiancé’s name, he was given her data by almost a quarter of organisations with no more confirmation of identity than her email address or phone number.

As reported by Econsultancy:

Clearly, subject access creates a significant and previously not well-publicized risk for businesses.

 

While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.

 

Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.

You can read the full article from Econsultancy here: https://econsultancy.com/identity-verification-is-now-an-important-gdpr-issue/

The data that Pavur gained access to was often of a sensitive nature. In one case, he was able to obtain his fiancé’s US social security number without providing any documentation. He also obtained bank details and breached usernames and passwords that were still in use.

All of this indicates that there is still a long way to go when it comes to GDPR compliance. In attempting to comply with the law over data subject access requests, organisations were actually failing in their obligations to protect user data.

If you’re uncertain about how to ensure GDPR compliance, Activa Consulting can help. Get in touch with us today and our expert data protection consultants will provide the guidance that you need.

Google ordered to stop manual review of recordings via Article 66

Google ordered to stop manual review of recordings via Article 66

google - article 66Under GDPR’s Article 66, Google has been ordered to stop manually reviewing audio recordings from its Google Assistant Service because the process breaches data protection laws.

This follows a data breach last month of more than 1000 recordings. A Belgian News Site, VRT, was able to identify people from the clips given to them, including such data as their addresses and medical conditions.

While Google has taken steps to report the breach to the Irish Data Protection Commission (DPC), it’s the fact that it has been forced to stop processing this data that is most significant here.

As reported by TechCrunch:

The real enforcement punch packed by GDPR is not the headline-grabbing fines, which can scale as high as 4% of a company’s global annual turnover — it’s the power that Europe’s DPAs now have in their regulatory toolbox to order that data stops flowing.

 

“This is just the beginning,” one expert on European data protection legislation told us, speaking on condition of anonymity. “The Article 66 chest is open and it has a lot on offer.”

This seems to be the first time that Article 66 has been implemented, but it demonstrates that GDPR is a powerful tool for data protection regulators. Not only can it levy big penalties after a data breach has occurred, it can force organisations to change their procedures.

The key requirement is that there is an “an urgent need to act in order to protect the rights and freedoms of data subjects”, which there was here.

This case also demonstrates that data can include such things as video and audio recordings. Personal data is anything that can be used to identify a person, whether on its own or in conjunction with other information.

Not sure whether your organisation’s data handling processes are compliant with GDPR? Our expert advice can help. Contact us today to find out how our consultancy services can help you!

CEOs unaware of GDPR non-compliance

CEOs unaware of GDPR non-compliance

data - gdpr non-complianceA new investigation by Delphix has uncovered some worrying information about GDPR non-compliance in the UK, with many businesses unaware of their failings to meet their obligations under GDPR.

Despite the fines and penalties involved in GDPR non-compliance – as can be seen from the recent British Airways fine – many organisations seemed unaware of the need to be careful with personal data.

Employees revealed that they are often unaware of whether they are GDPR compliant or not, with some showing little concern about the matter. One chief information security officer (CISO) even admitted to lying to their CEO about the company’s compliance levels.

As reported by DataCentreNews:

“These confessions should come as a wake-up call to the C-suite,” says Delphix CTO Eric Shrock.

 

“It is clear that the vast majority of top-level execs are blissfully unaware of how easily accessible their highly sensitive data is,” he adds.

 

“Pair that with growing frustration amongst developers looking to acquire data quickly and we have the perfect recipe for disaster.”

You can read the full article from DataCentreNews here: https://datacentrenews.eu/story/ceos-falsely-led-to-believe-company-is-gdpr-compliant-delphix

That data protection awareness is not better at the very highest levels of business should be a major concern. It’s often at these levels that people have the most access to personal data.

Data protection and awareness of GDPR should always be incorporated into business processes by design and default. By implementing this philosophy, the kinds of lapses that Delphix uncovered are much less likely to occur.

It’s also important that data protection training be carried out across the entire organisation, from both the lowest level employee to the highest. Anybody within an organisation can be responsible for a data breach; improving awareness of a company’s GDPR non-compliance starts by educating the workforce.

Here at Activa Consulting, we offer a range of staff training options, both in-person and online, to help minimise the risk of data breaches and the resulting fines. If you’re concerned about your compliance levels, get in touch with us today!

Facebook “Like” button could be GDPR risk

Facebook “Like” button could be GDPR risk

facebook like button imageIt’s common to see the Facebook Like button on websites these days, but it may be a danger to those sites as a result of a new ruling from the European Court of Justice

The court has decided that the website owners themselves are responsible for the data collected through the button. They are therefore also liable in cases where this data could be breached.

Given the social media giant’s infamous history regarding data protection issues, there’s good reason to be worried about the Facebook Like button. As reported by The Drum:

In their ruling the judges say the use of such widgets by any organisation amounts to being a joint data controller, meaning that websites “must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing.”

 

The darker side of Facebook’s Like button has come to prominence in recent months on the back of a series of privacy scandals to rock Facebook, with analysts pointing out that its primary function isn’t as a digital show of support but a tool to track individuals and permit data collection beyond Facebook’s products.

 

This was brought to light in a case involving German retailer Fashion ID which was sued by consumer rights group Verbraucherzentrale NRW over its use of the Facebook widget which escalated to the ECJ, which has now determined that Fashion ID must be considered a data controller in terms of both the collection and transmission of data.

You can read the full article here: https://www.thedrum.com/news/2019/07/30/facebook-s-button-poses-gdpr-risks-host-websites

Becoming complicit in Facebook’s data protection failings is an extremely dangerous thing to do – and considering its track record, could potentially bring certain companies to their knees. Many websites would therefore do well to completely remove the Facebook Like button.

This demonstrates how important it is to be aware of not only your own data protection processes, but also those of third-party developers and services.

You may believe your organisation to be GDPR compliant, but if you are using the services of one which isn’t, you will still be liable for any data breaches that occur as a result of their failings.

If you think this is a concern at your company, we can help. Contact us today – our GDPR consultancy services can help improve your compliance levels and reduce the data protection risks businesses face.

Data stolen from Lancaster University students

Data stolen from Lancaster University students

student - data stolenA malicious phishing attack has resulted in Lancaster University students and applicants having data stolen, with the data then being used to send fake invoices to applicants.

The data stolen included sensitive information such as names, phone numbers, email addresses, and ID documents. The breach apparently occurred as a result of the university’s systems being compromised.

In the BBC’s analysis, it was stated that:

Lawyer Helen Davenport, who advises clients on cyber security, said it was “essential” sectors such as higher education took cyber-security risks “seriously” and put training and software in place to “proactively shield against future attacks”.

 

She said “all eyes” would now be on how the attack had impacted students’ data and how the university intended “to guard against something likely to be attempted again”.

 

Failure to do so “could affect the attractiveness of the university to future candidates”, she added.

The full article from the BBC can be read here: https://www.bbc.co.uk/news/uk-england-lancashire-49081056

It’s important to note that although this breach is potentially very damaging for the students affected, Lancaster University has responded swiftly and efficiently. Since becoming aware of the breach on Friday, the university has taken steps to notify both the Information Commissioner’s Office (ICO) and the National Crime Agency NCA.

It is also moving to protect its data subjects, securing its systems and contacting those affected with advice.

Having good procedures in place in case of a data breach will always be regarded favourably by the ICO. It will be a long time before we discover what penalty Lancaster University faces, but by taking the actions it has, it has likely reduced any fines.

If you’re uncertain about the correct procedures to follow in case of a data breach, we can help here at Activa Consulting. Click here to get in touch with us about our wide range of consultancy offers, including self-management software and interim Data Protection Officer services.

30% of EU businesses fail GDPR compliance

30% of EU businesses fail GDPR compliance

EU flag - fail GDPR complianceA new survey of EU firms by RSM has discovered that 30% admitted that they fail GDPR compliance – and that a further 13% were not certain whether they are compliant or not. This leaves only 57% confident in their data protection processes.

This is worrying news given that it has been over a year since GDPR came into force. All of these organisations should have been prepared in advance, and ensured that they were compliant before 25th May 2018.

But because they fail GDPR compliance, they are putting themselves at risk.

As reported by Silicon:

It seems that there is no single issue to blame for non-compliance, but middle market businesses are apparently struggling to understand and implement a whole range of areas covered by the regulation.

 

The survey found that more than a third (38 percent) of non-compliant businesses do not understand when consent is required to hold and process data, 35 percent are unsure how they should monitor their employees’ use of personal data and 34 percent don’t understand what procedures are required to ensure third party supplier contracts are compliant.

 

The good news however is that despite the lack of compliance, GDPR is starting to have a positive impact on cyber security.

 

According to RSM, almost three quarters (73 percent) of European businesses say GDPR has encouraged them to improve the way they manage customer data and 62 percent say it has seen them increase their investment in cyber security. But alarmingly 21 percent of businesses admit that they still have no cyber security strategy in place.

You can read the full article here: https://www.silicon.co.uk/security/security-management/third-not-gdpr-compliant-272411

It therefore seems as if GDPR’s overall effect so far has been mixed. But with fines starting to appear thanks to GDPR – with British Airways recently receiving a record penalty of £183 million from the ICO – firms need to start taking their compliance more seriously.

We would always advise that data protection should be by design and default. Aside from the potential financial dangers of not being GDPR compliant, these firms are also risking a loss of trust from their customers and not being as efficient as they could be.

If you’re concerned that your organisation fails GDPR compliance, or want to further improve your data protection procedures and therefore your efficiency, click here to contact us today and find out more about our GDPR consultancy packages.