In May my Thursday Thoughts was a bit of a SME Guide and last month I was focussing on the launch of my latest book so for this month’s Thursday Thoughts I though it was time to look at things from an individual’s point of view. Theres loads of advice and guidance out there, lots of dire warnings about the risks to your data and advice on what your rights are … what there is a decided lack of (IMHO) is sensible advice on how to do things and where to go for help.
In order to do this I’ve been through my diary to look at the topics I’ve been dealing with over the last couple of months. Turns out everything from 2 factor authentication to the Right to Be Forgotten would benefit from having the light shone on them from the individaul’s point of view. So here goes.
I have nothing to hide so what does it matter what I post
I hear this most often from individuals who post regularly about their lives on Social Media. But there are things that we all need to be aware of. If we have a social media account and use it often there are things on there that we may not think others could use and more importantly what we post on line stays there so it’s helpful to also consider what our future selves would think of our posts. There are also cases where future (and current) employers look at social media posts to check out what they can learn about individuals.
Here are some things you may not have thought of:
By not protecting our accounts with 2 Factor Authentication someone may use information you post to hack into your account and lock you out – it is often VERY hard to get an account back if this happens to you and they can post what they like pretending to be you.
Posting while you are on holiday is great but if you’ve already shared where you live on SM and it’s obvious that your home will be empty while you are away your insurance will be invalid should you be burgled (yes that was a shock to me too so thanks to Mark from A Plan Insurance for that nugget).
The organisation you work for (now or in the future) may have strict rules about making information public or the sharing of their staff’s opinions on social media. Make sure that you know
Posting about a great day out when you are on sick leave is likely to get you in trouble with your employer!
WhatsApp is designed for person to person informal communication and it is against their terms and conditions to use it for business. It is unlikely therefore that this will need to be released if the company receives a Subject Access Request.
Platforms like Youtube have strict “cyberbullying and harassment involving minors” rules which includes recording and posting about someone “without their consent”. They can take down your account if you infringe this rule.
I know I should protect my data but I don’t know how
Sometimes this is also translated as I just don’t have time to deal with this just now!
The most important thing is to protect your devices and then your accounts. Most devices require a password, thumb print or facial recognition. What you use is up to you but if it’s easy to guess then there is a potential risk. What I am not saying is that if the only number granny can remember is the year of her birth and this is what she uses to unlock the phone you should make her stop. It’s all about the likely risk. If there’s very little on the device, all the accounts are protected by 2FA and granny doesn’t go out much then the risk is much less than if it were your account with internet banking and your whole life on it and you are using 0000 with no other protection.
If you don’t know how to set up 2FA the NCSC has how to guides for all the major platforms and the company you purchase your device from should be able to help you set up protection on the device.
After these 2 steps then you should start thinking about how you are tracked across the internet.
Don’t blindly allow tracking cookies 0 do 1400+ companies really need to know what you are looking at. Yes it’s bit of a faff but there are settings on your browser to restrict them and website cookie banners should give you a reject all cookies option.
Check out as a guest on websites you plan to use once or infrequently. They really do not need all your data.
Treat all links with suspicion whether they are in emails, SMS, Whats App, Facebook Messenger or direct messages on other apps. They are all potentially a source of malware.
If you are asked to pay something for a service you’d expect to be free or told of a delivery you aren’t expecting then check if it’s a known scam. You can even put in telephone numbers and email addresses into google and it will tell you if others have
Report suspicious emails and texts to the NCSC report@phishing.gov.uk or by text to 7726. They can investigate and take it down. You can then block the sender and delete the messages. If it is genuine the company can contact you another way.
Remember that some websites track information before you submit it. Tracking information including email and passwords while the visitor is still typing. If you don’t need to fill in the information leave it blank or make something up.
Don’t use the same password for everything
Check out haveibeenpwned.com to see if your data is at risk or is on a list of compromised information. Change the passwords on any accounts that are!
What are my rights when a business has my data
You have a right to know how the company is going to use your data when it is shared, with whom it is shared as well as how and when it will be disposed of or deleted. This should be articulated somewhere in a Privacy Notice or policy. You also have a number of other rights:
You have the right to make a subject access request
This means you can ask to see all the data the company has on you. This will mean they will have to check hard copy files as well as all emails and internal documents that have the your data in it and then they need to share this information with you. There is a timescale for this to be completed in. This is generally one month but for complex requests or in small organisations the period can be extended to 3 months. There are some myths out there so here are some points you may not know:
If you say you want to see everything and there is a lot of data to go through the company are likely to take the full 3 months or longer to comply.
The company does not have to provide you with copies of emails etc, just your personal data in them.
The company is not permitted to release anyone else’s data with yours so you wont see anyone elses name, phone number or email address in the response.
References are not usually provided as part of a subject access request
Individuals have the right to be informed of any data breach,
You have to tell data subjects if you suffer a Data Breach where it will affect their rights and freedoms
Individuals have the right to ask that data you hold is erased or made more accurate
You have to make sure data is kept up to date or deleted.
Organisations must DEMONSTRATE that they are compliant.
You need to document and record your processes so that you can demonstrate your compliance
You can only use the data you have for the purpose you have set out.
You cannot sell it
You must inform individuals if you want to use their data for another purpose and get their agreement.
When you get information from a data broker you have to tell the individual you have it before you start processing it.
Where do Businesses most often fall foul of the Regulations
There are 4 ways that businesses commonly fall foul the most:
Not understanding “Purpose limitation” – for the avoidance of doubt yoould only use data for the purpose you gathered it for
Approaching risk to the individuals from the business standpoint and not the data subject’s
Taking Subject Access Requests personally
Failing to act on data breaches or put appropriate security in place
According to the latest statistics
These are the most common risks to businesses
39% of businesses report they suffered a cyber-attack (same as 2021)
Phishing was the most common attack (83% of attacks)
The average cost of a cyber-attack to the business was £4,200
50% of businesses have an insurance policy that covers cyber attacks
Only 19% of businesses have a formal incident response plan
Most ICO fines so far have been for Electronic Communications infringements (marketing emails and nuisance calls) and not GDPR infringements.
Data Protection News
Facebook doesn’t know what data it has
Leaked reports from engineers at Facebook liken their data management system to “a bottle of ink being poured into a lake of water”. These reports claim that the company cannot keep track of user’s personal data and isn’t ready for the regulations it now faces on how to handle it. Interesting that the Irish Data Protection Commissioner has just fined Meta €17 million for failure to implement appropriate technical and organisational measures to ensure and demonstrate that personal data is processed in compliance with the GDPR. You can read more about the leaked reports here: https://nypost.com/2022/04/27/facebook-open-borders-leads-to-massive-data-leaks-report/
UK data protection is likely to change
For those wanting to keep up to date with the UK’s new National Data and Artificial Intelligence Strategies particularly in relation to the EU/UK “Adequacy Agreement”, International Data Transfers and any reform of the UK General Data Protection Regulation (GDPR) you will find helpful links on the Privacy Solved website: https://www.privacysolved.com/tracking-the-changes-to-uk-data-data-protection-gdpr-and-ai/.