CS Jul-Aug 2023

More documents

Recommendations

Info

privacy crisis REPUTATION TIMEBOMB 'WAITING TO BLOW UP MANY BRANDS' PRIVACY LAW FIRM SCHILLINGS REVEALS THAT MANY COMPANIES ARE INADVERTENTLY BREACHING CONSUMERS’ ONLINE PRIVACY RIGHTS Measures taken by companies to protect consumers data are "not working" and are exposing brands to massive reputational risk, according to research commissioned by privacy law firm Schillings. The study found that company data practices, often owned by marketing and IT teams, are falling short of legal requirements - and in some cases are harming customers by contributing to incorrect online profiles. The report, commissioned by Schillings and conducted by cross-party technology think tank Demos, tracked volunteers as they attempted to reclaim and delete the personal data companies held about them. In doing so, researchers uncovered widespread 'data ethics' challenges at large numbers of companies. The study found that: Up to 65% of companies did not respond to data requests, despite this being a legal requirement under GDPR Processes to help consumers take control of their data - eg, cookie banners - "actively seek to dissuade" people from restricting permissions 'Accepting All' cookies on websites often includes consent for data to be sold to data brokers - with brands unable to control how this data is then used and exposing them to supply chain risks Volunteers were "stunned" and "scared" by how widely their data was spread and sold by companies - with one volunteer discovering 2,242 companies were using their 'off- Facebook' interactions to target them with advertising Controlling your data footprint online is virtually impossible and the idea that individuals can is "a big lie". Volunteers found inaccuracies in the data profiles created about them online - which can cause real-world problems, such as applying for credit. Allan Dunlavy, partner at Schillings, says the study findings show a crisis waiting to happen. "Our study shows that we're in the middle of the largest privacy crisis in history and there is a reputation timebomb waiting to blow up many brands. Brands that are intentionally or inadvertently misusing our data could suffer a serious impact to their reputations, customer base and revenue. We are in a situation where many companies are holding consumer data, not giving people their legal right to access it, and then selling it on into a system they have no control over. The burden is currently on the consumer, rather than the business, to change this, but we see the tide turning against companies that are not helping consumers." STUDY AND RESULTS To create the report, Demos, with support from consumer rights company Rightly, worked with volunteers to discover how far information about them had travelled online - and how it had morphed along the way. Volunteers were helped to exercise their Right of Access (the right under GDPR to ask companies if they are using your personal information and for copies of what they hold) and The Right To Erasure (the right to ask for that data to be deleted - also known as the right to be forgotten). Overall, the research found a deeply frustrating and confusing process, and 12 computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk
privacy crisis an inconsistent picture across data requests to companies. Responses varied dramatically: of all the access requests put out, rates ranged from 65% of companies not responding to one volunteer to just 10% not responding to another. Under GDPR laws, companies are required to respond to consumer requests - but many did not or made the process difficult and time-consuming. The study also found that processes put in place to help consumers have more control over their information online in fact made them more likely to give it away. The biggest gateway to personal data for most users is the GDPRcompliant 'cookie banners' - but Demos concluded the banner's design often actively sought to dissuade users from changing data permissions "through nudges to incentivise you to agree to the most permissive settings". The study also found "accepting all" on cookie banners frequently gave companies permission to sell consumer data onto data brokers - creating a black hole in their ability to protect customer data. "One of the biggest problems right now is companies gathering enormous amounts of data on people, selling it off to data brokers and even they don't know where it ends up," commented one volunteer. DOUBTS RAISED This made them question whether they wished to continue buying from that company, explaining: "It's not necessarily that I don't trust them as a brand not to misuse my data - it's the fact that I don't know who they're selling it to and who that broker is selling it on to". Study volunteers were also surprised by the inaccuracy of profile information companies had compiled about them, based on their online activity. This 'propensity data' is intended to help advertisers target users who are most likely to be interested in their products. However, this data is also used to make decisions which have far-reaching ramifications in the real world, such as whether an individual would qualify for a mortgage or credit card. The study states: "We found a chaotic system that profits from our data, while doing little to empower users to exert their rights: data is collected and inferred about us, and used to make decisions in the dark about what sort of person we are, what sort of products and services we should be offered - from health insurance to mortgages." PANDEMIC HANGOVER Allan Dunlavy goes on to explain that much of the issue was born out of the Covid 19 pandemic: "For many companies, the rush to move to an online business model during the pandemic resulted in shortcuts being taken. We are seeing a lot of data privacy codes of practice overlooked, despite the best of intentions - with many companies often unknowingly contravening data legislation through poorly set up processes. But with privacy becoming a key focus for consumers, companies need to take these issues more seriously. "It's time every company took a long, hard look at how confident they are of their data ethics. This is a strategic reputational problem that needs addressing in the boardroom - not in isolation by a marketing or IT team." Law firm Schillings commissioned the study as part of its 'Accept All: Unacceptable?' campaign, highlighting and addressing the urgent need for society to do more to protect personal privacy online. Volunteers from the study can been seen in the documentary, 'Accept All: Unacceptable?', which was also commissioned by Schillings, now available to view on YouTube here. The film sets out to answer the question : "Why should we care about online privacy?" Allan Dunlavy, Schillings: we're in the middle of the largest privacy crisis in history. www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security 13
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6: news Gary Barlet, Illumio. IBM EXPA
Page 9 and 10: DON’T SaaSSS GET YOUR KICKED! ! T
Page 11: ansomware WHY BEING AGILE MATTERS W
Page 15 and 16: Infosecurity Europe Matthew Syed's
Page 17 and 18: Computing Security Secure systems,
Page 19 and 20: workplace welfare within the cybers
Page 21 and 22: identity & access may cause operati
Page 23 and 24: managed services Unfortunately, man
Page 25 and 26: GDPR that bridges the gap between t
Page 27 and 28: GDPR legislation in other parts of
Page 29 and 30: AI enhance SOAR with a generative A
Page 31 and 32: cyber strategy SECURITY BY DESIGN N
Page 33 and 34: ansomware attacks While laws could
Page 35: Computing Security Secure systems,

CS Jul-Aug 2023

Create successful ePaper yourself

Delete template?

Save as template?