Five Threats Being Tackled By GDPR

Aimed Business Thoughts ProposalsOnly a fortnight to go before the May 25th GDPR deadline. Talking to organisations there is the expected flurry of activity to be compliant and the expected promotions offering solutions. So it’s a good time to remind ourselves what GDPR is trying to address.

Data Breach

GDPR is in part a response to the significant data breaches that are reportedly periodically in the news. It also tackles the many major unreported breaches that are now commonplace.

How often did we used to wonder how a civil servant could leave a laptop or mobile phone on the tube/bus/car.  Now about 2% of owners reported a phone theft annually, which is 0.5M phones. Add in the unreported, then loss is now common. Then consider how much we use our phones for business and the access an unprotected phone gives to all sorts of data.

Then there is the malicious data breach. Email attack is the most common of these. Most businesses have received a simple phishing email. They used to be obvious, but now can appear genuine with their spurious attachments. And that harmless Word document does not show its malicious code already snaring and reporting back on the data held on your devices.

Social Engineering

Spear phishing is the next level up. Here the hacker knows enough about you to target the content of their email to encourage you to take the fatal step. The CEO on a trip needs you to transfer £20K now, for the deal to go ahead, sent from her email address, is a socially engineered spear phishing attack.

It uses context and profile to create action. Similarly organisations increasingly use automated decision-making based on profiles they build up of their prospects and clients. GDPR prevents solely automated decisions being made by ensuring there is a human override. The worst examples of this stem from the stock market crashes of 2008. Then too few people understood the models to stop the continuous market sell or earlier query the real sense of giving mortgages to those unable to repay.

Another aspect of social engineering is the right to be forgotten. The digital world can call up everything through a few key strokes. No longer can the errors of youth be safely allowed to fade. Nor can your vague interest in something in the last 5 years be a reason why that organisation still contacts you. Here they mis-see value in a massive prospect database, rather than understanding a smaller relationship-based database is more effective.

Inappropriate Use

The web is a great tool for pinpointing suspects, prospects and clients according to a marketing profile. The Cambridge Analytica story shows how it could be ‘misused’. Alternatively see the real dangers of lists being passed on from one organisation to another. This created the bombard of mass communication on those most likely to want to respond in the charity sector with lethal results.

Individuals will now have some tools to take back some control, but not all. The advances in technology mean that with the right kit and enough data someone can create a full profile of an individual. It is frightening how few pieces are needed.

As individuals and organisations, we would aim to never knowingly to share personal data. But through data breach, social engineering and inappropriate use, it is too easy for the unethical to collect the pieces that allows them to do this. That is why GDPR is a good step to defend against the tide, although it can never be the whole solution.