It's Your Data, It's Your Life
What is going to live forever….data, my personal identity data, the stuff that is sitting in organisations' databases all over the world.
“It’s my life, it’s now or never, I ain’t gonna live forever” so goes the Bon Jovi song that my daughter was listening to on her iPod this morning. You know what happened next of course; for the rest of the day, I had the line “It’s my life” going around and around in my head, endlessly! But it got me thinking about a few things that really do affect me and what is going to live forever….data, my personal identity data, the stuff that is sitting in organisations’ databases all over the world.
Today when we buy something online, the data that we provide, our names and addresses and phone numbers are stored in corporate databases. Some companies are kind enough not to share this information; others, less so. The data may be sold to third parties to whom you never intended that it be given. This ever expanding web of data distribution could be putting your privacy and possibly your personal security at risk. In the cyber world there appears to be an increase in very complex social engineering attacks where hackers who have stolen your data are using it to trick you into giving them the credentials to your bank accounts, to use your credit card, to access your passwords for your email accounts. And then, once they have this information they can cause untold damage, both financial and personal. These social engineering attacks can happen at any time but are likely to occur in greater frequency around Christmas when consumers are more likely to fall victim to them.
At a conference I recently attended where I spoke on the dangers of our personal information being leaked on line, an astonishing thirty eight per cent of the audience said that they didn’t care what happens to their data. This number has fallen over the last couple of years but it still needs to go lower. I think of this group of people as akin to those who say that they don’t need insurance. You will never know that you do, until after an event has happened and the damage has been done. By then it is too late, the damage has been done.
However, all is not lost. With the impending enactment of the new EU General Data Protection Regulation, the so-called ‘Right-To-Be-Forgotten’, all organisations that collect and store personal data will have to comply with a whole new set of laws.
Firstly, my identity and personal data will be mine, legally. On demand, the organisation holding it will have to make a copy of it available to me in a form that is readily re-usable. In addition, they will have to delete it, if I so request, unless they are in a small category of regulated industries where the retention of data is strictly controlled by law. The penalties for organisations failing to comply will be punitive and could range from two to five per cent of their global revenue. This is a profound change to the personal data landscape and will drive significant change in the technologies that manage this data.
In order to comply, new technologies will have to be developed that allow consumers to easily see what data an organisation holds about them. If that data relates to your identity, you should be able to check if that data is current or out-of-date. You should be able to request a deletion of it, or a refresh if that is what you decide. However, in the process of making this data available to you an organisation is not relieved of its obligations to protect both it and by extension your privacy. Stronger protections must be employed to ensure that hackers cannot infiltrate a company’s systems and steal your information.
Furthermore, new techniques like tokenisation will be employed to ensure tighter controls on who, when and where your personal identity information is used and stored will be put in place. You will decide the organisations who you trust to manage your identity on your behalf. These organisations will act as your proxy and will allow temporary access to companies and vendors who need access to your identity information under limited circumstances to perform a task. Once the task has been completed the access will be withdrawn and none of your personal data will remain with the vendor.
An example might be where you purchase a pair of shoes from Jimmy’s Shoe Shop. Jimmy’s Shoe Shop will be given a time-limited token to access your name, address and phone number. Once the shoes have been delivered the only thing that remains with Jimmy’s Shoe Shop is the Token reference number which will expire.
So, in summary, think carefully about where your data is going. Be aware that any emails you receive that look legitimate but arrive in a strange context may be targeting you. And lastly, take control of your data. It is yours after all and you will be entitled to control how it is used.